dongzuoyue6556 2015-06-30 16:20
浏览 144
已采纳

为匿名用户使用CSRF保护是否有意义?

Should CSRF protection be used for anonymous users, or does that defeat its purpose?

I have a URL that can be accessed anonymously. When the URL is accessed with the appropriate information, some values are updated in my database. For example, a client can place some code on their order confirmation page that will make a POST request to http://example.com/save-request with the following data sent:

{orderId: 1234, referralCode: 'ABCDEF'}

When I receive this request, I update the given order in my database with the referral code:

$order = Order::find(Input::get('orderId'));
$order->referral_code = Input::get('referralCode');
$order->save();

I am trying to protect this URL from abuse so that a user can't send requests for random Order IDs and try to get their referral code associated to them.

CRSF protection comes to mind, but that would mean I need to first fetch the token, which would require another public URL. It seems like that would make it slightly harder for abuse, but still possible since the abuser can simply fetch a token, and then make requests as normal.

Are there any strategies to protect against this sort of abuse?

  • 写回答

2条回答 默认 最新

  • dosc9472 2015-06-30 16:54
    关注

    CSRF is meant to protect authenticated sessions. The basic idea is: the server provides a CSRF token to the client for all authenticated sessions. The client should pass the same CSRF token to the server with each subsequent request. So if a request came without the token, the server should ignore / log it. Your CSRF token should ideally only be passed to the client upon authentication. If there's a separate URL to get the CRSF token, it becomes pointless.

    In your case, since the users are always anonymous at "order confirmation", CSRF protection would not be too applicable. I think the best strategy would be to model the data and your API such that each "order confirmation" is one atomic request with an optional "referralCode". Your API function/endpoint, possibly /confirm-order, can then take referralCode and save it into the Order object, along with any other confirmation processing logic. The API function/endpoint to edit order, maybe /edit-order, should require authentication. Then, the standard CSRF protection applies.

    However, if your intention is to allow anonymous users to change their order details including referralCode, you can mitigate abuse by tracking changes, and allowing only a maximum number of changes. You may also add in some time restriction if it helps.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥50 求解vmware的网络模式问题
  • ¥24 EFS加密后,在同一台电脑解密出错,证书界面找不到对应指纹的证书,未备份证书,求在原电脑解密的方法,可行即采纳
  • ¥15 springboot 3.0 实现Security 6.x版本集成
  • ¥15 PHP-8.1 镜像无法用dockerfile里的CMD命令启动 只能进入容器启动,如何解决?(操作系统-ubuntu)
  • ¥30 请帮我解决一下下面六个代码
  • ¥15 关于资源监视工具的e-care有知道的嘛
  • ¥35 MIMO天线稀疏阵列排布问题
  • ¥60 用visual studio编写程序,利用间接平差求解水准网
  • ¥15 Llama如何调用shell或者Python
  • ¥20 谁能帮我挨个解读这个php语言编的代码什么意思?