dongmeng9048 2017-03-15 05:19
浏览 39
已采纳

我可以使用会话cookie代替csrf吗?

I have been reading about csrf and fiddliN around with implementing it using go and gorilla toolkit. I am also using gorilla sessions which i have implemented to store a user id in an encrypted cookie.

the cookie is decrypted and i fetch the user from the db with the now unencrypted key-value store using a middleware I wrote...

if the user is creating the session cookie from authentication through an oauth2 provider, do i have any need to implement csrf protection if all the views that need such protection are only allowed to authed users anyway?

  • 写回答

1条回答 默认 最新

  • doujuan9698 2017-03-15 05:48
    关注

    Suppose a user has logged into your site, and has continued to browse the Internet in the same session. They stumble across another site which is maliciously targeting yours, with HTML or JS that causes the user's browser to make a request to an endpoint on your site. This will contain the user's session cookie for your domain, and succeed unless protected by a CSRF token.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 metadata提取的PDF元数据,如何转换为一个Excel
  • ¥15 关于arduino编程toCharArray()函数的使用
  • ¥100 vc++混合CEF采用CLR方式编译报错
  • ¥15 coze 的插件输入飞书多维表格 app_token 后一直显示错误,如何解决?
  • ¥15 vite+vue3+plyr播放本地public文件夹下视频无法加载
  • ¥15 c#逐行读取txt文本,但是每一行里面数据之间空格数量不同
  • ¥50 如何openEuler 22.03上安装配置drbd
  • ¥20 ING91680C BLE5.3 芯片怎么实现串口收发数据
  • ¥15 无线连接树莓派,无法执行update,如何解决?(相关搜索:软件下载)
  • ¥15 Windows11, backspace, enter, space键失灵