I have a vague understanding of nonces but have a little confusion.
What is the correct response when nonce validation fails?
Under what circumstances could nonce validation fail? what is the risk to genuine users?
1条回答 默认 最新
dounuo9921 2011-04-05 22:29关注The goal of nonces with forms is generally two fold: to ensure the data is only submitted once, and to ensure the user actually does the submitting. The second point helping defend against cross site request forgeries: http://en.wikipedia.org/wiki/Cross-site_request_forgery
Dealing with them depends on the context. If a user is filling out a form and the nonce fails, refresh the page (pre-fill the data), say something benign like "Oops there was a problem, please check your input and submit again". A valid user can hit submit, an attack will be thwarted, or the user at least made aware of what's happening.
Validation can fail for a few reasons. If you've got some form of browser cache enabled, a user visits one form (with a given nonce), then navigates to a different one (with it's own nonce) and returns to the first via the back button the nonce will likely fail. By allowing the browser cache to occur they haven't refreshed the page, and your server is likely only storing a single valid nonce for them in the session so they wont match. A valid use case, and a failed nonce (not one I'd lose sleep over, just make sure the form is re-populated).
By and large my recommendation would be: Tell the user to submit again, subtly imply they should check their input, make it easy to submit again.
本回答被题主选为最佳回答 , 对您是否有帮助呢?解决 无用评论 打赏举报
分享
- 2011-04-05 22:15回答 1 已采纳 The goal of nonces with forms is generally two fold: to ensure the data is only submitted once, an
- 2019-09-12 05:31回答 1 已采纳 Found it. AAD is the RSA public key in ASN.1 DER format.
- 2016-03-21 12:25回答 1 已采纳 可能是微信的服务器没有能够及时响应,你可以在浏览器的开发者模式中查看,网络的数据传输时间,可以找出原因。换台机器,或者过段时间再重新验证。(在你什么都没错的前提下)
- 2021-04-12 22:05太远有一点点的博客 php token验证失败的解决办法:1、保障添加的服务器是联通,并且url是能够访问;2、token不能重复;3、服务器上的token要改时,要和配置表单上的一致。php token验证失败的解决办法:这里附上配置表单,token验证...
- 2013-10-24 05:59回答 3 已采纳 <?php session_start(); //Check nonce against session if(isset($_POST) && $_POST["nonce"] === $_
- 2019-08-05 08:34回答 1 已采纳 According to WP codex: The nonce field is used to validate that the contents of the form reque
- 2014-10-30 22:57回答 2 已采纳 A small typo, use 'security': params.nonce instead of 'security:': params.nonce
- 2021-04-26 11:24河岸的翁的博客 由于通过Ajax异步更新数据仅仅部分页面刷新数据,就导致了令牌Token不能得到更新,紧接着的第二次新建或更新数据(提交表单时)失败——不能通过令牌的验证。当然了,最简单的办法就是刷新整个页面,就导致了异步刷新...
- 2018-05-16 06:05回答 1 已采纳 I needed to use this: add_action( 'wp_footer', 'my_styles_scripts' ); not add_action( 'wp_en
- 2011-10-05 20:46回答 2 已采纳 I will restrict my answer to the use of random IV. I assume that you are using Cipher Block Chaini
- 2018-11-08 19:51回答 2 已采纳 我真晕,第一次验证通过后把它给注释了,您能否发一下完整代码我参考一下,
- 2021-04-27 09:39weixin_39880666的博客 我在新浪sae申请了账号之后创建了一个应用作为测试微信接口使用,代码用的都是官方教程的,但是在提交服务器配置的时候不是连接失败就是token验证失败,地址和token我确认没有填写错误,实在找不出原因。于是我在...
- 2016-04-04 11:33回答 1 已采纳 Browsers send credentials given before again on a new request. To ask the browsers for new credent
- 2021-01-17 15:48网管实验室的博客 难度水平:初中级适用人群:对微信公众号开发有认知跟实践的童鞋阅读时间:8分钟缘起很久之前做过一次公众号的开发,当时就遇到了一个验证的小坑,但是由于时间紧任务急处理完了也就没在意,可谁知最近刚刚上马一个...
- 2021-04-12 22:05weixin_39712611的博客 如何解决php token验证失败的问题发布时间:2020-07-11 09:07:33来源:亿速云阅读:80作者:Leah这篇文章将为大家详细讲解有关如何解决php token验证失败的问题,文章内容质量较高,因此小编分享给大家做个参考,...
- 2018-03-30 10:51he_Lucian的博客 这里附上配置表单,我傻逼一开始不知道什么意思,以为填写了url 和令牌 就可以成功 谁知道一直出现 ,token验证失败的信息。后来看了下文档,如下要返回参数给微信,返回成功则成为开发者;所以我准备的一下代码...
- 2020-09-01 22:01culi4814的博客 Nonce could not be verified - bail wp_die( __( 'Invalid nonce specified', $this->plugin->name ), __( 'Error', $this->plugin->name ), array( 'response' => 403, 'back_link' => 'admin.php?...
- 2020-04-27 17:14奥特曼不想打小怪兽的博客 公众平台配置信息 下方为代码,可一直...此处最好填第二参数 $tmpStr = implode( $tmpArr ); $tmpStr = sha1( $tmpStr ); if( $tmpStr == $signature ){ return true; }else{ return false; } } } 关注成功的回调及事件
- 2021-04-28 05:01weixin_39783633的博客 1. 设置微擎上的支付参数2... PHP发起支付[http://s.we7.cc/index.php?c=wiki&do=view&id=1&list=363]()public function doMobilePay() {//获取用户要充值的金额数$fee = floatval($_GPC['money']);if($...
- 没有解决我的问题, 去提问
