gpt4 book ai didi

security - CSRF保护:我们是否必须为每种表格生成 token ?

转载 作者:行者123 更新时间:2023-12-03 09:55:28 25 4
gpt4 key购买 nike

我们是否必须为网站中的每种表单生成 token ?我的意思是,每次为每种请求的表单生成不同的 token ?如果没有,为什么?

最佳答案

通常,只需要one token per session(所谓的每个 session token )就足够了:

In general, developers need only generate this token once for the current session. After initial generation of this token, the value is stored in the session and is utilized for each subsequent request until the session expires.



如果您想进一步增强安全性,则可以在每个表单/ URL(每个表单 token )中使用一个 token 来减轻当一个 token 泄漏(例如 XSS)时的影响,因为攻击者只能成功进行攻击特定的表格/ URL。

但是使用每请求 token ,我。 e。 token 随每个请求而变化,但由于限制了并行浏览,因此降低了网站的可用性:

To further enhance the security of this proposed design, consider randomizing the CSRF token […] for each request. Implementing this approach results in the generation of per-request tokens as opposed to per-session tokens. Note, however, that this may result in usability concerns. For example, the "Back" button browser capability is often hindered as the previous page may contain a token that is no longer valid. Interaction with this previous page will result in a CSRF false positive security event at the server.



因此,我建议您使用每个 session token 或每个表单 token 。

关于security - CSRF保护:我们是否必须为每种表格生成 token ?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/8655817/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com