duanguangsong2380 2012-08-25 00:21
浏览 494
已采纳

在PHP中防止CSRF攻击的最佳方法

What is the best way to protect again CSRF attacks in PHP.

It has been recommend to use form tokens, so basically generate a random value and store it in a hidden field. Then also store this random value in the users session.

Finally in the form action, make sure the session and form token match.

if($_SESSION['token'] !== $_POST['token']) {
   die("bad... spanking...");
}

Is there a better/easier way, as this requires a lot of code modification in my application (lots of forms and actions).

  • 写回答

1条回答 默认 最新

  • doufang8282 2012-08-25 00:24
    关注

    No. To protect against CSRF, you need to make sure you only trust credentials that are automatically appended to requests (like cookies) when you have reason to believe that the user actually submitted your form. The only way to do that is to have the form carry some kind of secret that the server uses to authorize processing.

    If you use a framework or library to compose your form it might help by generating the random number, setting the cookie or session property, and adding the hidden input to your form but those three steps do need to happen.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 SPSS分类模型实训题步骤
  • ¥15 求解决扩散模型代码问题
  • ¥15 工创大赛太阳能电动车项目零基础要学什么
  • ¥20 limma多组间分析最终p值只有一个
  • ¥15 nopCommerce开发问题
  • ¥15 torch.multiprocessing.spawn.ProcessExitedException: process 1 terminated with signal SIGKILL
  • ¥15 QuartusⅡ15.0编译项目后,output_files中的.jdi、.sld、.sof不更新怎么解决
  • ¥15 pycharm输出和导师的一样,但是标红
  • ¥15 想问问富文本拿到的html怎么转成docx的
  • ¥15 我看了您的文章,遇到了个问题。