这是防止跨站点请求伪造 (CSRF) 攻击的安全方法吗? [英] Is this a secure way to prevent Cross-site Request Forgery (CSRF) attacks?
问题描述
我们的应用程序是这样的:
Our app is thus:
- 每个用户都必须登录
- 登录页面回发到服务器,如果是授权用户,则返回 SPA 应用程序.
- SPA 应用完全是 AJAX
- HTTPS
通常我们会发送一个 sessionid cookie 和一个 csrftoken cookie.令牌 cookie 值将作为 x-header 包含在任何 AJAX 帖子中,以及每个请求在服务器上验证的所有内容.
Normally we would send a sessionid cookie and a csrftoken cookie. The token cookie value would get included as an x-header on any AJAX posts and everything verified on the server on each request.
由于 SPA 页面是在将其返回到浏览器之前构建的,因此我们可以在其中嵌入我们喜欢的任何内容.我们希望最终用户能够登录多个选项卡,其中一个不影响其他.
As the SPA page is built before returning it to the browser we can embed whatever we like in it. We'd like the end user to be able to log in on multiple tabs, with one not affecting the others.
我们更愿意做什么:
- 像以前一样将 sessionid 作为 cookie 发送,但 cookie 名称将是随机的.
- 没有 csrftoken,而是在将 x-header 添加到 AJAX 发布请求的 javascript 例程中嵌入随机 cookie 名称.
- 服务器将从 x-header 中获取 sessionid.
这让我们有机会允许多次登录,每次登录都有一个唯一的 sessionid cookie 名称,但每个 post 请求都有一个标准化的 x-header 名称.
This gives us the opportunity to allow multiple logons, with each logon having a unique sessionid cookie name, but every post request having a standardized x-header name.
这会像 sessionid cookie、csrftoken cookie/x-header 方法一样安全吗?
Would this be as safe as the sessionid cookie, csrftoken cookie/x-header method?
推荐答案
是的,添加一个攻击者无法从有效用户会话中复制的标头是实现此目的的一种方法.
Yes, adding a header that an attacker has no way of replicating from a valid user's session is one way to do this.
例如X-Requested-With 可以添加到每个 AJAX 请求中(JQuery 默认这样做)并且您只需在服务器端收到请求时检查此标头是否存在.如果服务器不通过 CORS 选择加入,则无法跨域发送此标头.
e.g. X-Requested-With could be added to each AJAX request (JQuery does this by default) and you simply check that this header is present when the request is received sever side. This header cannot be sent cross-domain without the server opting in via CORS.
您可以将其与令牌结合使用 - 在此处查看我的答案.
You could combine this with a token - see my answer here.
例如
X-Requested-With: XMLHttpRequest;0123456789ABCDEF
这篇关于这是防止跨站点请求伪造 (CSRF) 攻击的安全方法吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
