如何检查一个AJAX请求的真实性 [英] How to Check Authenticity of an AJAX Request
问题描述
我设计了一个网站,其中用户解决难题,迅速,因为他们可以。 JavaScript用于时间每个难题,并毫秒数是当拼图完成后通过AJAX发送到服务器。我怎样才能确保由服务器收到的时间不是由用户伪造?
I am designing a web site in which users solve puzzles as quickly as they can. JavaScript is used to time each puzzle, and the number of milliseconds is sent to the server via AJAX when the puzzle is completed. How can I ensure that the time received by the server was not forged by the user?
我不认为一个基于会话的真实性令牌(用于形式Rails的那种)就足够了,因为我需要验证的来源的请求的价值,而不仅仅是合法性
I don't think a session-based authenticity token (the kind used for forms in Rails) is sufficient because I need to authenticate the source of a value, not just the legitimacy of the request.
有没有办法来加密签名的要求?我想不出任何可以不被黑客复制。是任何JavaScript,其暴露出来,客户端的性质,受篡改?难道我将不得不使用一些被编译,像闪光? (让人惊讶。)或者是有一些方法来隐藏一个秘密的钥匙吗?还是其他什么东西我都没有想到的?
Is there a way to cryptographically sign the request? I can't think of anything that couldn't be duplicated by a hacker. Is any JavaScript, by its exposed, client-side nature, subject to tampering? Am I going to have to use something that gets compiled, like Flash? (Yikes.) Or is there some way to hide a secret key? Or something else I haven't thought of?
更新:为了澄清,我并不想惩罚的人慢的网络连接(和网络速度应被视为不一致),这样的时机必须是100%的客户端(计时器开始只有当我们知道了用户可以看到的难题)。此外,还有涉及到钱,所以再多的信任用户是可以接受的。
Update: To clarify, I don't want to penalize people with slow network connections (and network speed should be considered inconsistent), so the timing needs to be 100% client-side (the timer starts only when we know the user can see the puzzle). Also, there is money involved so no amount of "trusting the user" is acceptable.
推荐答案
这个方法显然使得假设,是不可战胜的。所有的计算都在客户端进行,服务器做一些背景调查,以找出是否有可能请求已经被伪造。像任何其他客户端为基础的方法,这是不确定的,但使得它很难为一个说谎的客户端。
This approach obviously makes assumptions and is not invincible. All calculations are done on the client, and the server does some background checks to find out if the request could have been forged. Like any other client-based approach, this is not deterministic but makes it very hard for a lying client.
的主要假设是长期的HTTP连接是用于发送数据的速度更快,甚至在某些情况下,根据不同的应用上下文可以忽略不计。这是用在大多数的网上交易系统,股票价格可以在一秒钟内改变多次,这是目前的价格传递给用户以最快的方式。你可以阅读更多有关 HTTP流或彗星这里。
The main assumption is that long-lived HTTP connections are much faster for transmitting data, even negligible in some cases depending on the application context. It is used in most online trading systems as stock prices can change multiple times within a second, and this is the fastest way to transmit current price to users. You can read up more about HTTP Streaming or Comet here.
通过在客户端和服务器之间的全双工 AJAX的连接开始。该服务器有一个专用线去跟客户端,客户端可以明显地跟我们的服务器。服务器发送的困扰,和其他信息在客户端上的这个专用线。客户端应该确认收到每个消息到服务器以及它的本地时间戳
Start by creating a full-duplex ajax connection between the client and server. The server has a dedicated line to talk to the client, and the client can obviously talk to the server. The server sends the puzzle, and other messages to the client on this dedicated line. The client is supposed to confirm the receipt of each message to the server along with its local timestamp.
在服务器随机生成令牌(可能只是不同的整数)谜题发出后,记录生成每个令牌时的时间,并且将它传递给客户。客户端看到的消息,并且应该立即转发此令牌回来伴随着它的接收本地时间。为了使联合国predictable客户端,生成随机时间间隔,这些服务器标记之间, 1 说的和 N 毫秒。
On the server generate random tokens (could be just distinct integers) after the puzzle has been sent, record the time when each token was generated, and pass it over to the client. The client sees the message, and is supposed to immediately relay this token back along with it's local time of receipt. To make it unpredictable for the client, generate these server tokens at random intervals, say between 1 and n ms.
将会有三种类型的消息,该客户端发送到服务器:
There would be three types of messages that the client sends to the server:
PUZZLE_RECEIVED
TOKEN_RECEIVED
PUZZLE_COMPLETED
和两种类型的邮件服务器发送到客户端:
And two types of messages that the server sends to the client:
PUZZLE_SENT
TOKEN_SENT
目前的可以的很多时间变化的消息从客户端发送到服务器,而在另一个方向小得多(这是一个非常公平的假设,哎 - 我们要开始地方)。
There could be a lot of time variation in the messages send from the client to the server, but much lesser in the other direction (and that's a very fair assumption, hey - we have to start somewhere).
现在,当服务器收到收据到一个消息时,它发送的记录包含在该消息中的客户端的时间。由于令牌还传回该消息中,我们可以在服务器上相应的记号匹配。在拼图的最后,客户端发送一个 PUZZLE_COMPLETED 消息当地时间服务器。完成拼图的时间是:
Now when the server receives a receipt to a message it sent, record the client time contained in that message. Since the token was also relayed back in this message, we can match it with the corresponding token on the server. At the end of the puzzle, the client sends a PUZZLE_COMPLETED message with local time to the server. The time to complete the puzzle would be:
PUZZLE_COMPLETED.time - PUZZLE_RECEIVED.time
然后仔细检查,通过计算VS发送接收时间在每个消息的时间差。
Then double check by calculating the time difference in each message's sent vs received times.
PUZZLE_RECEIVED.time - PUZZLE_SENT.time
TOKEN_RECEIVED.time - TOKEN_SENT.time
在这些时候高方差意味着反应可能是伪造的。除了简单的变化,有大量的统计分析,你可以做这些数据来寻找奇怪的图案。
A high variance in these times implies that the response could have been forged. Besides simple variance, there is lots of statistical analysis you can do on this data to look for odd patterns.
这篇关于如何检查一个AJAX请求的真实性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
