dongzuoyue6556 2015-06-30 16:20
浏览 144
已采纳

为匿名用户使用CSRF保护是否有意义?

Should CSRF protection be used for anonymous users, or does that defeat its purpose?

I have a URL that can be accessed anonymously. When the URL is accessed with the appropriate information, some values are updated in my database. For example, a client can place some code on their order confirmation page that will make a POST request to http://example.com/save-request with the following data sent:

{orderId: 1234, referralCode: 'ABCDEF'}

When I receive this request, I update the given order in my database with the referral code:

$order = Order::find(Input::get('orderId'));
$order->referral_code = Input::get('referralCode');
$order->save();

I am trying to protect this URL from abuse so that a user can't send requests for random Order IDs and try to get their referral code associated to them.

CRSF protection comes to mind, but that would mean I need to first fetch the token, which would require another public URL. It seems like that would make it slightly harder for abuse, but still possible since the abuser can simply fetch a token, and then make requests as normal.

Are there any strategies to protect against this sort of abuse?

  • 写回答

2条回答 默认 最新

  • dosc9472 2015-06-30 16:54
    关注

    CSRF is meant to protect authenticated sessions. The basic idea is: the server provides a CSRF token to the client for all authenticated sessions. The client should pass the same CSRF token to the server with each subsequent request. So if a request came without the token, the server should ignore / log it. Your CSRF token should ideally only be passed to the client upon authentication. If there's a separate URL to get the CRSF token, it becomes pointless.

    In your case, since the users are always anonymous at "order confirmation", CSRF protection would not be too applicable. I think the best strategy would be to model the data and your API such that each "order confirmation" is one atomic request with an optional "referralCode". Your API function/endpoint, possibly /confirm-order, can then take referralCode and save it into the Order object, along with any other confirmation processing logic. The API function/endpoint to edit order, maybe /edit-order, should require authentication. Then, the standard CSRF protection applies.

    However, if your intention is to allow anonymous users to change their order details including referralCode, you can mitigate abuse by tracking changes, and allowing only a maximum number of changes. You may also add in some time restriction if it helps.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 关于#hadoop#的问题
  • ¥15 (标签-Python|关键词-socket)
  • ¥15 keil里为什么main.c定义的函数在it.c调用不了
  • ¥50 切换TabTip键盘的输入法
  • ¥15 可否在不同线程中调用封装数据库操作的类
  • ¥15 微带串馈天线阵列每个阵元宽度计算
  • ¥15 keil的map文件中Image component sizes各项意思
  • ¥20 求个正点原子stm32f407开发版的贪吃蛇游戏
  • ¥15 划分vlan后,链路不通了?
  • ¥20 求各位懂行的人,注册表能不能看到usb使用得具体信息,干了什么,传输了什么数据