我需要一个CSRF令牌jQuery的阿贾克斯（）？ [英] Do I need a CSRF token for jQuery .ajax()?

问题描述

所以，我已经有了一个基本的阿贾克斯（）POST方法的PHP文件。

So I've got a basic .ajax() POST method to a PHP file.

什么安全措施是否需要？

What security measures do I need?

几个职位周围用你通过AJAX发送和验证在PHP文件中隐藏的MD5输入字段提。这是一个足够好的方法？

A few posts around were mentioning using a hidden MD5 input field that you send via AJAX and verify in the PHP file. Is this a good enough method?

推荐答案

从跨站请求伪造的风险在于外部站点可以将数据发送到你和用户的浏览器会自动随之发送的身份验证cookie。

The risk from CSRF is that an external site could send data to yours and the users browser will automatically send the authentication cookie along with it.

您需要的是某种方式接收操作（即你的 $。阿贾克斯（）方法发送POST数据）能够检查请求有来自另一个网站上的网页，而不是外部的网站。

What you need is some way for the receiving action (that your $.ajax() method is sending POST data to) to be able to check that the request has come from another page on your site, rather than an external site.

有几个方法可以做到这一点，但推荐的方法是将令牌添加到您可以检查和黑客无法到达的请求。

There are a couple of ways to do this, but the recommended way is to add a token to the request that you can check for and that the hackers can't get to.

目前最简单的：

• 在日志中创建一个长的随机字符串标记，并将其保存与用户。
• 添加参数传递给 $。阿贾克斯（）的要求，其中包括令牌。
• 在请求检查该标记已保存的用户匹配。
• 如果令牌不匹配，你有一个跨站请求伪造黑客。

• On log on create a long random string token and save it against the user.
• Add a parameter to the $.ajax() request that includes the token.
• On request check that the token matches the one that you have saved for the user.
• If the token doesn't match you have a CSRF hack.

黑客不能得到你的数据库，并不能实际阅读您发送给用户的页面（除非他们得到的XSS攻击，但那是另一个问题），所以不能欺骗令牌。

The hacker can't get to your DB and can't actually read the page you've sent to the user (unless they get an XSS attack in, but that's another problem) so can't spoof the token.

所有这些与令牌重要的是，你可以predict 的（和验证），它和黑客不能的。

All that matters with the token is that you can predict (and validate) it and that the hacker can't.

有关这个原因，它是最容易产生一些长期和随机并将其存储在数据库中，但你可以建立一些加密来代替。我不会只是MD5的用户名，虽然 - 如果CSRF攻击弄清楚如何生成的令牌，你会被砍死

For this reason it's easiest to generate something long and random and store it in the DB, but you could build up something encrypted instead. I wouldn't just MD5 the username though - if the CSRF attackers figure out how to generate your tokens you'll be hacked.

另一种方法是存储令牌处于一个cookie（而不是数据库），因为攻击者无法读取或更改你的cookies，只是使他们重新发送。然后你在HTTP POST数据令牌在Cookie匹配标记。

Another way is to store the token is in a cookie (rather than your database), as the attackers can't read or change your cookies, just cause them to be re-sent. Then you're the token in the HTTP POST data matches token in the cookie.

您可以让这些很多更复杂，例如一个改变每一个它的成功使用时间（preventing重新提交）或特定的用户和行动令牌令牌，但是这是基本格局。

You can make these a lot more sophisticated, for instance a token that changes every time it's successfully used (preventing resubmission) or a token specific to the user and action, but that's the basic pattern.

这篇关于我需要一个CSRF令牌jQuery的阿贾克斯（）？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！