duanguangsong2380 2012-08-25 00:21
浏览 494
已采纳

在PHP中防止CSRF攻击的最佳方法

What is the best way to protect again CSRF attacks in PHP.

It has been recommend to use form tokens, so basically generate a random value and store it in a hidden field. Then also store this random value in the users session.

Finally in the form action, make sure the session and form token match.

if($_SESSION['token'] !== $_POST['token']) {
   die("bad... spanking...");
}

Is there a better/easier way, as this requires a lot of code modification in my application (lots of forms and actions).

  • 写回答

1条回答 默认 最新

  • doufang8282 2012-08-25 00:24
    关注

    No. To protect against CSRF, you need to make sure you only trust credentials that are automatically appended to requests (like cookies) when you have reason to believe that the user actually submitted your form. The only way to do that is to have the form carry some kind of secret that the server uses to authorize processing.

    If you use a framework or library to compose your form it might help by generating the random number, setting the cookie or session property, and adding the hidden input to your form but those three steps do need to happen.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 k8s部署jupyterlab,jupyterlab保存不了文件
  • ¥15 ubuntu虚拟机打包apk错误
  • ¥199 rust编程架构设计的方案 有偿
  • ¥15 回答4f系统的像差计算
  • ¥15 java如何提取出pdf里的文字?
  • ¥100 求三轴之间相互配合画圆以及直线的算法
  • ¥100 c语言,请帮蒟蒻写一个题的范例作参考
  • ¥15 名为“Product”的列已属于此 DataTable
  • ¥15 安卓adb backup备份应用数据失败
  • ¥15 eclipse运行项目时遇到的问题