CSRF：我可以使用Cookie吗？ [英] CSRF: Can I use a cookie?

问题描述

将CSRF令牌放在cookie中是否可以？ （和在每种形式，作为一个隐藏的输入，所以我可以检查他们匹配，当然）我听说有人说，这样做，击败令牌的整个目的，虽然我不明白为什么。

Is it ok to put the CSRF token in a cookie? (and in every form, as a hidden input, so I can check if they match, of course) I heard someone say that doing so, beats the whole purpose of the token, though I don't understand why. It seems secure to me.

如果是安全的，是否比在网址中放置令牌安全？

And if it is secure, is it any less secure than puting the token in the URL's ?

有没有其他方法？

我在哪里可以阅读更多关于这个主题？

Where can I read more on the subject?

UPDATE ：到目前为止没有人能告诉我cookie方法是如何不安全的，如果它仍然必须匹配的形式的令牌，攻击者不应该能够得到，除非他使用另一个

UPDATE: So far no one can tell me how is the cookie method insecure, if it still has to match the token from the form, which the attacker shouldn't be able to get, unless he uses another hack like XSS, which is a different matter, and still doesn't make a difference between using cookie and url token.

UPDATE 2 ：这是一个不同的问题，但仍然不区分使用cookie和url令牌。好吧，似乎一些着名的框架使用这种方法，所以应该很好。感谢

UPDATE 2: Okay, seems like some famous frameworks use this method, so it should be fine. Thanks

推荐答案

使用Cookie的工作原理，是一种常见做法（例如 Django使用它）。由于同源策略，攻击者无法读取或更改cookie的值，因此无法猜出正确的GET / POST参数。

Using cookies works, and is a common practice (e. g. Django uses it). The attacker cannot read or change the value of the cookie due to the same-origin policy, and thus cannot guess the right GET/POST parameter.

这篇关于CSRF：我可以使用Cookie吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！