dongpo0409
dongpo0409
2013-11-15 19:38
浏览 121
已采纳

CSRF会话令牌无效

My session is not being set and I'm not sure why...

public static function generate( $key )
{
    $extra = self::$doOriginCheck ? sha1( $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'] ) : '';
    $token = base64_encode( time() . $extra . self::randomString( 32 ) );
    $_SESSION[ 'csrf_' . $key ] = $token;
    return $token;
}

I use that to generate a key. On my log in form, after including my session file, I use:

$token = CSRF::generate("token"); // class name is CSRF

I then use it $token as a hidden value which is submitted along with the form.

Now to check it, I use a function called check() (this is the part where the exception is thrown:

public static function check( $key, $origin, $throwException=false, $timespan=null, $multiple=false )
    {
        if ( !isset( $_SESSION[ 'csrf_' . $key ] ) )
            if($throwException)
                throw new Exception( 'Missing session token.' );
            else
                return false;
                ....

I'm checking it as following:

CSRF::check($token, $_POST, true, 60*10, false);

($token is the token submitted). Why is is not saving the token in the session?

图片转代码服务由CSDN问答提供 功能建议

我的会话未设置,我不知道为什么......

  public static function generate($ key)
 {
 $ extra = self :: $ doOriginCheck?  sha1($ _SERVER ['REMOTE_ADDR']。$ _SERVER ['HTTP_USER_AGENT']):''; 
 $ token = base64_encode(time()。$ extra.self :: randomString(32)); 
 $ _SESSION [  'csrf_'。  $ key] = $ token; 
返回$ token; 
} 
   
 
 

我用它来生成密钥。 在我的登录表单中,在包含我的会话文件后,我使用:

  $ token = CSRF :: generate(“token”);  //类名是CSRF 
   
 
 

然后我将 $ token 用作与表单一起提交的隐藏值。

现在检查它,我使用一个名为check()的函数(这是引发异常的部分:

  public 静态函数检查($ key,$ origin,$ throwException = false,$ timespan = null,$ multiple = false)
 {
 if if(!isset($ _SESSION ['csrf_'。$ key]))
 if  ($ throwException)
抛出新的异常('缺少会话令牌。'); 
否则
返回false; 
 .... 
   
 
 

I 检查如下:

  CSRF :: check($ token,$ _POST,true,60 * 10,false); 
   
 
 

($ token是提交的令牌)。为什么不在会话中保存令牌?

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • dozr162106
    dozr162106 2013-11-15 19:41
    已采纳

    You're passing $token in as the first parameter for CSRF::check(). Surely, it should be:

    CSRF::check('token', $_POST, true, 60*10, false);
    

    instead of

    CSRF::check($token, $_POST, true, 60*10, false);
    

    Seeing as you're setting the key as 'token' in CSRF::generate? Otherwise:

    if ( !isset( $_SESSION[ 'csrf_' . $key ] ) )
    

    will be something like:

    if ( !isset( $_SESSION[ 'csrf_hed97988hdbnbnuihg07dede89723tg7yihoi3dh' ] ) )
    
    点赞 评论

相关推荐