dongtui4038
2012-04-04 05:50
浏览 34
已采纳

是否应为每个请求包含csrf令牌?

Supose that the users have private content on their account . Like any social websites , when they browse their account , the users can see alot of things about them . Are all of those requests tokenised? Is it a good ideea to make a pattern and tokenise all requests and check them before they are processed ? Any sugestion ?
Do all apps based on private accounts system tokenise all requests?

P.S. : here is a possible attack : the user logs in a social website ("x"), stays loged in , goes to another website ("y") . Website y has a button that gets the first page content of the x site which includes users latest posts . Since the user is loged in , the data will show ...

How would you set up a csrf token mechanism for each request? Set up a middle process that redirects the request to the final processing page if its a valid request? or ... any other ideeas ? Am i wrong here ? Do i see things wrong?

Here i asked same question and got the right final answer : https://stackoverflow.com/a/10006276/1284817 . The validated answer here is good to read about it too .

图片转代码服务由CSDN问答提供 功能建议

假设用户的帐户中包含私人内容。 与任何社交网站一样,当用户浏览他们的帐户时,用户可以看到很多关于他们的信息。 所有这些请求都被标记化了吗? 制作模式并标记所有请求并在处理之前检查它们是否是一个很好的想法? 任何消化?
基于私人账户系统的所有应用程序是否都标记了所有请求?

P.S。 :这是一种可能的攻击:用户登录社交网站(“x”),保持隐藏状态,转到另一个网站(“y”)。 网站y有一个按钮,可以获取x网站的第一页内容,其中包括用户的最新帖子。 由于用户已进入,数据将显示...

您将如何为每个请求设置csrf令牌机制? 如果有效请求,设置一个中间进程将请求重定向到最终处理页面? 还是......其他任何想法? 我错了吗? 我看错了吗?

我在这里提出了同样的问题并得到了正确的答案: https://stackoverflow.com / a / 10006276/1284817 。 这里经过验证的答案也很适合阅读。

  • 写回答
  • 好问题 提建议
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • dongsi4547 2012-04-04 06:43
    已采纳

    CSRF tokens are only normally attached to things that change things on the users behalf (e.g. POST requests). Protecting attackers from viewing private data is much simpler, and indeed is baked right in to all popular browsers:

    To protect attackers viewing private data (rather than modifying it) you would usually rely on the browser's same origin policy, and ensuring your requests do not support Cross-origin resource sharing

    In the specific example of the attack you suggest, the attacker requests example.org/private and the browser will throw an exception which looks like this on my browser:

    XMLHttpRequest cannot load http://example.org/private. Origin http://attacker.com is not allowed by Access-Control-Allow-Origin.
    
    已采纳该答案
    评论
    解决 无用
    打赏 举报

相关推荐 更多相似问题