doubi5127 2011-04-05 22:15
浏览 188
已采纳

处理失败的nonce验证的最佳方法是什么?

I have a vague understanding of nonces but have a little confusion.

What is the correct response when nonce validation fails?

Under what circumstances could nonce validation fail? what is the risk to genuine users?

  • 写回答

1条回答 默认 最新

  • dounuo9921 2011-04-05 22:29
    关注

    The goal of nonces with forms is generally two fold: to ensure the data is only submitted once, and to ensure the user actually does the submitting. The second point helping defend against cross site request forgeries: http://en.wikipedia.org/wiki/Cross-site_request_forgery

    Dealing with them depends on the context. If a user is filling out a form and the nonce fails, refresh the page (pre-fill the data), say something benign like "Oops there was a problem, please check your input and submit again". A valid user can hit submit, an attack will be thwarted, or the user at least made aware of what's happening.

    Validation can fail for a few reasons. If you've got some form of browser cache enabled, a user visits one form (with a given nonce), then navigates to a different one (with it's own nonce) and returns to the first via the back button the nonce will likely fail. By allowing the browser cache to occur they haven't refreshed the page, and your server is likely only storing a single valid nonce for them in the session so they wont match. A valid use case, and a failed nonce (not one I'd lose sleep over, just make sure the form is re-populated).

    By and large my recommendation would be: Tell the user to submit again, subtly imply they should check their input, make it easy to submit again.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 想问一下stata17中这段代码哪里有问题呀
  • ¥15 flink cdc无法实时同步mysql数据
  • ¥100 有人会搭建GPT-J-6B框架吗?有偿
  • ¥15 求差集那个函数有问题,有无佬可以解决
  • ¥15 【提问】基于Invest的水源涵养
  • ¥20 微信网友居然可以通过vx号找到我绑的手机号
  • ¥15 寻一个支付宝扫码远程授权登录的软件助手app
  • ¥15 解riccati方程组
  • ¥15 使用rabbitMQ 消息队列作为url源进行多线程爬取时,总有几个url没有处理的问题。
  • ¥15 Ubuntu在安装序列比对软件STAR时出现报错如何解决