dsfs21312
2016-03-17 09:40
浏览 38
已采纳

CORS - API身份验证:会话(CSRF安全) - 解决方案?

I am currently using the CORS method (ReWriting my external requests from example.com/api?param=args to example.com/api/public/api.php?param=args) and sending the get Request like so:

$.get('http://www.example.com/api'), { param: "args" })
    .done(function (data) {
        alert(data);
    });

This works absolutely fine and I can now Cross-Domain reference with Requests and responses to my API software.

I am now wondering, I set up a test request to try achieve a Session.

session_start();
if(isset($_GET['store'])):
    $_SESSION['key'] = $_GET['store'];
elseif(isset($_GET['show'])):
    echo $_SESSION['key'];
endif;

When I go to the link directly in my browser, this works fine however, when I send a request from the external domain, the second request seems to "forget" the Session key I stored.

Code:

$.get('http://www.example.com/api'), { store: "test" })
    .done(function () {
        $.get('http://www.example.com/api'), { show: "args" })
            .done(function (data) {
               alert(data);
        })
    });

Data is undefined

Is there a way I can make the server that is sending the requests actually "save" or "remember" the session on the API server or is there a way I can achieve this by using a work around?

Note that the API will be used by multiple people - like a plugin - and each key will be actually added once they send a Register param as a request with the admin details of there account so I need some sort of authentication to using the API and cannot actually think of a way around not using Session's or getting it to work using session's.

Please note also, if I am using session (as you can see like that), it creates a CRSF attack. Is there a work around this also?

图片转代码服务由CSDN问答提供 功能建议

我目前正在使用CORS方法(从 example.com/api?param=重写我的外部请求 args </ code>到 example.com/api/public/api.php?param=args </ code>)并发送get request,如下所示:</ p>

  $ .get('http://www.example.com/api'),{param:“args”})
 .done(function(data){
 alert(data); 
});  
 </ code> </ pre> 
 
 

这非常正常,我现在可以使用请求和对我的API软件的响应进行跨域引用。</ p>

I 我现在想知道,我设置了一个测试请求来尝试实现 Session </ code>。</ p>

  session_start(); 
if(isset($ _ GET ['  store'])):
 $ _SESSION ['key'] = $ _GET ['store']; 
elseif(isset($ _ GET ['show'])):
 echo $ _SESSION ['key'];  
endif; 
 </ code> </ pre> 
 
 

当我直接在我的浏览器中访问链接时,这工作正常,但是当我从外部域发送请求时,第二个请求似乎 “忘记”会话密钥</ code>我 ored。</ p>

代码:</ p>

  $ .get('http://www.example.com/api'),{store  :“test”})
 .done(function(){
 $ .get('http://www.example.com/api'),{show:“args”})
 .done(function)  (数据){
 alert(数据); 
})
}); 
 </ code> </ pre> 
 
 

数据未定义</ p> \ n </ blockquote>

有没有办法让发送请求的服务器实际上“保存”或“记住”API服务器上的会话,或者我有办法通过 使用解决方法?</ p>

请注意,API将由多个人使用 - 如插件 - 并且每个 key </ code>在发送< 代码>注册</ code> param作为请求与该帐户的管理员详细信息,所以我需要某种身份验证使用API​​,实际上不能想到一种方法不使用会话或让它使用会话的工作。</ p>

另请注意,如果我正在使用会话(您可以看到这样),那么 创建 CRSF攻击</ code>。 还有解决方法吗?</ p> </ div>

1条回答 默认 最新

相关推荐 更多相似问题