单页应用程序和 CSRF 令牌 [英] Single Page Application and CSRF Token

问题描述

我需要使用具有 Rails CSRF 保护机制的单页应用程序(React、Ember、Angular，我不在乎).

I need to use a Single Page Application (React, Ember, Angular, I don't care) with Rails CSRF protection mechanism.

我想知道是否需要像这样在 ApplicationController 中创建一个令牌:

I'm wondering if I need to create a token evey time in the ApplicationController like this:

class ApplicationController < ActionController::Base

  after_action :set_csrf_cookie

  def set_csrf_cookie
    cookies["X-CSRF-Token"] = form_authenticity_token
  end

end

或者我可以只创建一次令牌.

每个会话还是每个(非 GET)请求?

Per session or per (non-GET) request?

我认为令牌在会话有效之前仍然有效，对吗?

I think the token is still valid until the session is valid, right?

澄清:

每次浏览页面时，我都会看到 Rails 默认应用程序(服务器呈现的页面)更新 csrf-token.所以每次都变了.

I see Rails default application (server-rendered pages) update csrf-token each time I navigate a page. So every time it changes.

因此，在我的情况下，如果我为每个 after_action 创建一个新令牌，则之前的 CSRF 令牌仍然适用于该会话.那么，如何使之前的令牌失效呢?我必须吗?

So in my situation if I create a new token for each after_action the previous CSRF-Token is still good for that session. So, how to invalidate the previous token? I have to?

因为只有我将其无效才有意义，对吗?

Because only if I invalidate it makes sense, right?

推荐答案

客户端 (SPA)

您只需每个会话一次获取 CSRF 令牌.您可以在浏览器中保留它并在每个(非 GET)请求中发送它.

Client side (SPA)

You only need to grab the CSRF token once per session. You can hold onto it in the browser and send it on every (non-GET) request.

Rails 似乎会在每个请求上生成一个新的 CSRF 令牌，但它会接受来自该会话的任何生成的令牌.实际上，它只是对每个请求使用一次性填充来屏蔽单个令牌，以防止 SSL BREACH 攻击.更多详情请访问 https://stackoverflow.com/a/49783739/2016618.您无需跟踪/存储这些令牌.

Rails will appear to generate a new CSRF token on every request, but it will accept any generated token from that session. In reality, it is just masking a single token using a one-time pad per request, in order to protect against SSL BREACH attack. More details at https://stackoverflow.com/a/49783739/2016618. You don't need to track/store these tokens.

我强烈建议使用 Rails 的 protect_from_forgery 指令，而不是自己在标头中编码 CSRF 令牌.它将为每个请求生成不同的掩码令牌.

I strongly suggest using Rails's protect_from_forgery directive rather than encoding the CSRF token in a header yourself. It will generate a different masked token per request.

你当然可以不用那么多代码自己重现这个，但我不明白你为什么需要这样做.

You can certainly reproduce this yourself with not that much code, but I don't see why you'd need to.

是的！如果您使用 cookie 进行身份验证，则需要 CSRF 保护.这是因为 cookie 随每个请求一起发送，因此恶意网站可以向您的站点发送 POST 请求并代表登录用户执行请求.CSRF 令牌阻止了这种情况，因为恶意站点不会知道 CSRF 令牌.

Yes! If you are authenticating with a cookie, you need CSRF protection. This is because cookies are sent with every request, so a malicious website could send a POST request to your site and perform requests on behalf of a logged in user. The CSRF token prevents this, because the malicious site won't know the CSRF token.

这篇关于单页应用程序和 CSRF 令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！