允许获取请求，但只在我的域中？ [英] Allow Get request but only in my domain?

问题描述

在我的网站上，我可以使用GET请求触发某些事情，例如隐藏或删除评论的功能。我不是很担心，但是如果有人使用img src = url设计攻击来删除评论或电子邮件，这将是非常恼火。有没有办法防止这种情况？

On my site i can trigger certain things using GET request like the ability to hide or delete a comment. I am not very worried but it would be pretty annoying if someone design an attack using img src= url to delete comments or emails. Is there a way to prevent this?

我使用httponlycookies作为登录数据。如果有人做img src或变体，请求会提交有效的登录Cookie吗？我应该使用POST而不是？ POST会使网站缓慢吗？有很少的cookie，所以浏览器可以提交cookie和POST一个包，但我不知道POST和cookies是否必须分开。

I am using httponlycookies for the login data. if someone does img src or a variant would the request submit valid login cookies? should i use POST instead? Would POST slow the site down? There are very little cookies so a browser may submit cookies and POST with one packet however i dont know if POST and cookies must be seperate.

所有这些答案似乎有所以我会把它变成一个维基，让人们可以更多的知情，而不是看接受的答案。

all of these answers seem to have something to consider not mentioned in the other 3. So i'll turn this into a wiki so people can be more informed instead of looking at accepted answer.

推荐答案

您在这里混淆了几个常见问题。

You have confused a couple of common issues here.

首先，其他人已经注意到的攻击是跨站点请求伪造。可能会导致来自其他网域的GET或POST，并且因为请求将转到您的域，它会通过包含会话详细信息的您的域的Cookie。

Firstly, the attack as others have noted is called is a cross-site request forgery. It is possible to cause either GETs or POSTs from another domain and because the request is going to your domain it will pass in the cookies for your domain which include the session details.

为了解决这个问题，当用户登录时，生成一个令牌（一些随机字符串），您的网站上的所有链接和表单在该会话期间传回。当请求进来时，从cookie中获取会话详细信息，并查找该会话应获得/ POSTed的令牌。如果没有通过正确的令牌，则可以忽略请求/通知用户/日志详细信息以进行进一步调查。我建议最后一个，因为当实施这个你可能会错过几个链接或形式，然后将无法工作。

To counter this, when a user logs in, generate a token (some random string of characters) that all links and forms on your site pass back during that session. When the request comes in, take the session details from the cookie and look up which token should GETted/POSTed for that session. If the correct token has not been passed then you can ignore the request/inform the user/log detail for further investigation. I'd recommend the last as when implementing this you may well miss a few links or forms which will then not work. Users may simply leave rather than taking the time to inform you of this.

其次，GET请求应该是安全的（即只是导致数据显示没有更改）并且POST应该用于所有数据改变请求。首先，如果蜘蛛管理跟随链接，导致蜘蛛不应该引起的更改。其次作为备份用户刷新页面 - 浏览器应该提醒他们，他们将重新提交请求，并做他们想做的继续。我说作为一个备份，因为所有的请求都应该以这样的方式来写，他们是无害/忽略，如果重新提交，即没有一个按钮，要求被删除的最后一个项目，而不是查找，最后项目的ID是1423并且具有删除1423的按钮请求;如果这是提交两次然后围绕您的验证，第二次应该注意到，项目1423已经不存在，也不会造成进一步的修改。

Secondly, GET requests should be safe (i.e. simply cause data to be displayed with no changes made) and POSTs should be used for all data altering requests. Firstly in case a spider manages to follow a link, causing changes that spiders shouldn't be causing. Secondly as a backup to the user refreshing the page - the browser should remind them that they will be resubmitting the request and do they want to continue. I say as a backup because all your requests should be written in such a way that they are harmless/ignored if resubmitted i.e. don't have a button that requests the last item to be deleted, instead look up that the id of the last item is 1423 and have the button request that 1423 is deleted; if this is submitted twice then the second time around your validation should notice that item 1423 is no longer there and cause no further changes.

这篇关于允许获取请求，但只在我的域中？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！