dorkahemp972157683 2019-01-14 16:19
浏览 128
已采纳

CSRF令牌保护意义何在?

I have read a lot about this and I still don't understand it. Let's say I have a domain with a form available only for authenticated users to post comments on some kind of content:

my_form.php

<form action="post_comment.php" method="post">
  <textarea name="comment"></textarea>
  <input type="hidden" name="csrf_token" value="<?php print $csrf_token; ?>" />
  <input type="submit" value="Post" />
</form>

post_comment.php

<?php

  if(!isset($_POST['csrf_token']) || !CSRFToken::validate($_POST['csrf_token'])){
    print "Invalid CSRF-Token!";
    exit;
  }
  [...]
?>

The post_comment.php will reject any request if the "csrf_token" token value is not sent or is not valid. So we are preventing attackers to use our post_comment.php.

BUT how to prevent the attacker to GET /my_form.php, read the csrf_token value from the form and POST to post_comment.php using it? What am I missing?

  • 写回答

2条回答 默认 最新

      报告相同问题?

      相关推荐 更多相似问题

      悬赏问题

      • ¥15 关于selenium网页闪退
      • ¥15 怎么用PYTHON解类似于x = y+zx + cy = x+zy + v的方程
      • ¥300 FLASH AS2.0制作一个类似手机上下滑动一样的效果
      • ¥15 为什么使用openFoam 中的icoFoam计算圆柱扰流时出现浮点数例外(核心已转储)
      • ¥15 51单片机外部中断控制数码管
      • ¥15 创建网页里面的图片显示不出来
      • ¥15 语音控制的编写?(语言-c#)
      • ¥15 matlab输入书上的代码运行错误
      • ¥15 matlab怎么做三维曲面
      • ¥50 sph光滑粒子法能否解决阶跃性的问题