将URL中的令牌置于安全的位置以防止PHP应用程序中的CSRF攻击？ [英] is putting token in URL secure to prevent CSRF attacks in PHP applications?

问题描述

我想使用令牌来防止我的网站（使用PHP编写）的CSRF攻击。我使用它的形式，它运作良好。但注销链接不是表单;它只是一个超链接。

如果我把这个标记放在查询字符串中是否安全：

 < a href =logout.php？token = 9ae328eea8a72172a2426131a6a41adb>注销< / a> 
  

如果有任何问题，您的建议和解决方案是什么？

解决方案

我认为在GET请求中使用CSRF令牌的主要缺点之一是无能的用户通过复制带有令牌的链接并粘贴它在一些公共内容中，比如comment / post / etc ...还有GET请求参数，包括通常由HTTP服务器/代理服务器记录的CSRF标记，它引入了另一个风险。

所以我建议你使用类似这样的方式来实现CSRF安全链接：

 < form name =logoutaction = logout.phpmethod =post> 
< input type =hiddenname =tokenvalue =9ae328eea8a72172a2426131a6a41adb/> 
< / form> 
 ... 
< a href =/ nojs.htmlonclick =document.logout.submit（）; return false>注销< / a> 
  

I want to use a token to prevent CSRF attacks on my website (written with PHP). I've used it in forms and it works well. But logout link is not a form; It is only a hyperlink.
Is it secure if I put the token in the query string like this:

<a href="logout.php?token=9ae328eea8a72172a2426131a6a41adb">Logout</a>

If it has any problem, what is your suggestions and solutions ?

解决方案

I think one of main disadvantages of using CSRF-token in GET requests is possibility of incompetent user to easily disclose his token by copying a link with the token and paste it in some public content like a comment/post/etc... Also GET query parameters including CSRF-tokens usually logged by HTTP servers/proxies and it introduces another risk.

So I suggest you to implement CSRF-secure links using something like this:

<form name="logout" action="logout.php" method="post">
<input type="hidden" name="token" value="9ae328eea8a72172a2426131a6a41adb"/>
</form>
...
<a href="/nojs.html" onclick="document.logout.submit(); return false">Logout</a>

这篇关于将URL中的令牌置于安全的位置以防止PHP应用程序中的CSRF攻击？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！