这是一种防止跨站点请求伪造（CSRF）攻击的安全方法？ [英] Is this a secure way to prevent Cross-site Request Forgery (CSRF) attacks?

问题描述

我们的应用程序是：

• 每个用户都必须登录


• 服务器，并且如果授权用户返回SPA应用程序。


• SPA应用程式完全是AJAX


• HTTPS

通常我们会发送一个 sessionid cookie和一个 csrftoken cookie。令牌cookie值将作为x-header包含在任何AJAX帖子上，并在每个请求上在服务器上验证所有内容。

由于SPA页面在返回之前构建到浏览器，我们可以嵌入任何我们喜欢的。我们希望最终用户能够登录多个标签，其中一个不会影响其他标签。

我们希望做什么：

• 像前面一样将sessionid作为cookie发送，但cookie名称将是随机的。


• 无csrftoken，而是在将x标头添加到AJAX帖子请求的javascript例程中嵌入随机Cookie名称。





这样，我们就可以从x-header中获取sessionid机会允许多个登录，每个登录具有唯一的 sessionid cookie名称，但每个post请求都有一个标准化的x-header名称。





这与sessionid cookie，csrftoken cookie / x-header方法一样安全吗？

解决方案

，添加一个攻击者无法从有效用户的会话中复制的标头是执行此操作的一种方法。





例如 X请求的使用 可以添加到每个AJAX请求（ JQuery在默认情况下执行此操作），您只需检查此标头是否存在，当请求接收服务器端。如果服务器通过CORS选择启用，则无法发送跨网域标头。





您可以将此标记与一个令牌 - 请在这里查看我的回答。





例如

  X请求使用：XMLHttpRequest; 0123456789ABCDEF 
  




Our app is thus:

• Every user must login
• login page posts back to server and if an authorized user a SPA app is returned.
• SPA app is totally AJAX
• HTTPS

Normally we would send a sessionid cookie and a csrftoken cookie. The token cookie value would get included as an x-header on any AJAX posts and everything verified on the server on each request.

As the SPA page is built before returning it to the browser we can embed whatever we like in it. We'd like the end user to be able to log in on multiple tabs, with one not affecting the others.

What we would rather do:

• send the sessionid as a cookie, like before, but the cookie name would be random.
• no csrftoken, but instead embed the random cookie name in the javascript routine that added the x-header to the AJAX post requests.
• the server would get the sessionid from the x-header.

This gives us the opportunity to allow multiple logons, with each logon having a unique sessionid cookie name, but every post request having a standardized x-header name.

Would this be as safe as the sessionid cookie, csrftoken cookie/x-header method?

解决方案

Yes, adding a header that an attacker has no way of replicating from a valid user's session is one way to do this.

e.g. X-Requested-With could be added to each AJAX request (JQuery does this by default) and you simply check that this header is present when the request is received sever side. This header cannot be sent cross-domain without the server opting in via CORS.

You could combine this with a token - see my answer here.

e.g.

X-Requested-With: XMLHttpRequest;0123456789ABCDEF

这篇关于这是一种防止跨站点请求伪造（CSRF）攻击的安全方法？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！