Codeigniter CSRF - 它是如何工作的 [英] Codeigniter CSRF - how does it work

问题描述

最近我发现了CSRF攻击，并高兴地发现CSRF保护被添加到Codeigniter v 2.0.0。

Recently I found out about CSRF attacks and was happy to find out that CSRF protection was added to Codeigniter v 2.0.0.

我启用了该功能，并看到具有令牌的隐藏输入被添加到表单中，并且我假设它将令牌存储在会话中。在POST请求中，CI会自动比较令牌，或者我必须手动执行此操作吗？

I enabled the feature and saw that a hidden input with a token is added in forms and I assume that it stores the token in a session too. On POST requests does CI automatically compare tokens or do I have have to manually do that?

推荐答案

CSRF令牌添加到只有在使用 form_open（）函数时，才会将其作为隐藏输入。

The CSRF token is added to the form as a hidden input only when the form_open() function is used.

是由Security类创建的，如果每个请求都需要重新生成。

A cookie with the CSRF token's value is created by the Security class, and regenerated if necessary for each request.

如果存在$ _POST数据，Cookie将由Input类自动验证。如果发布的令牌与cookie的值不匹配，那么CI将显示一个错误，并且无法处理$ _POST数据。

If $_POST data exists, the cookie is automatically validated by the Input class. If the posted token does not match the cookie's value, CI will show an error and fail to process the $_POST data.

基本上，它是自动的 - 要在你的 $ config ['csrf_protection'] 中启用它，并使用 form_open（） 。

So basically, it's all automatic - all you have to do is enable it in your $config['csrf_protection'] and use the form_open() function for your form.

一篇好文章我发现很好解释：http://www.beheist.com/index.php/en/blog/csrf-protection-in-codeigniter-2-0- a-closer-look

A good article I found that explains it very well:: http://www.beheist.com/index.php/en/blog/csrf-protection-in-codeigniter-2-0-a-closer-look

这篇关于Codeigniter CSRF - 它是如何工作的的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！