我正在寻找一种方法来添加CSRF令牌到我正在做的应用程序。注意,应用程序目前不使用Cookie或会话。
I am looking for a way to add a CSRF token to an application I'm making. The caveat is, the application does not currently use cookies or sessions.
我想找到一种方法来引入CSRF令牌,而不必:
I would love to find a way to introduce a CSRF token without having to:
可能性,或者我在我的应用程序中卡住了创建新状态。
Is this at all a possibility, or am I stuck creating new state in my application.
推荐答案你可以,但不会很安全。
You can, but it's not going to be very secure.
这里有一个例子但是不要使用它,这是一个很糟糕的想法:
// Do this somewhere define('CSRF_SALT', '4dedMj4CWgBMNhRsoTpJlokwB5wTz7UsmF8Mq4uzFIbv'); $token = base64_encode( hash_hmac( 'sha256', date('Ymd') . $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'], CSRF_SALT, true ) ); if (\hash_equals($_POST['security_token'], $token)) { // Form passes validation }缺点是这些令牌本质上是可重用的,所以如果一个泄漏的攻击者可以简单地重用(或重新计算)。您也可以尝试在哈希计算中添加表单action =。
The downside is that these tokens are inherently reusable, so if one leaks an attacker can simply reuse (or recalculate) it. You can also try adding the form action="" value in the hash calculation.
function getToken($action) { return base64_encode( hash_hmac( 'sha256', hash_hmac( 'sha256', date('Ymd') . $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'], hash('sha256', $action, true), true ), CSRF_SALT, true ) ); } echo "<form action='register.php' method='post'>\n"; echo "<input type='hidden' name='security_token' value='".getToken('register.php')."' />\n"; // ...你们对会话的厌恶是什么?
What's your anathema for sessions anyway?
更多推荐
在PHP中没有Cookie的CSRF令牌
发布评论