TOKEN verification principle prevent CSRF attacks

Others 2019-08-04 00:26:22 views: null

TOKEN verification principle prevent CSRF attacks. CSRF Chinese name is cross-site request forgery attacks, hackers can forge our identity through CSRF attack, which carried out illegal activities. For example, based on our capacity to make transfers, send messages and other operations.

To do prevent CSRF attacks, you first need to understand the principles of CSRF attack, the only way we can really grasp the means of prevention. CSRF attacks principle is this:

(1): When we landed a site, because the HTTP protocol is stateless, so in order to preserve our landing state, the server program must create a session file, to save our login information.

(2): In order to be able to switch between each access multiple pages, we recorded state, the file delivery session in response to a server will first session_id corresponding to the client browser. After the browser will receive this value written to a cookie file. When the next time you access the site's content, it will be sent to all client server program, including the storage of cookie session_id cookie end of the site belonging to the local store. If the server needs to detect the requester's identity, it is possible to detect the contents of session files, and file server session if there is a response in accordance with the legality of the passed session_id cookie contained. If the test legitimate, then it is legitimate to authenticate users, otherwise illegal.

(3): If the hackers set up a link to another page, this link points to a site transfer system. And the current user is a member of this site, and landed in the state (that is, there is a legitimate session_id store the cookie on the client browser), then when the user clicks on a link after this, the client browser sends the user of these information is passed to the server, but the link specific to do what, users do not know that it will do a fake identity of the user, the user do not know. . .

So how should be the prevention of such attacks that? Mainstream framework in order to prevent such attacks, and are based TOKEN mechanism. That is when a user interacts with the server, passing an encrypted string to the server, the server to check whether the string is legal, if not there may be legitimate hacker fake user information request.

So this is how to generate encrypted string that? Encrypted string is generated by the back-end program, and then assigned to the top of the page. Typically is a combination of the current controller, methods, keys, encrypting the time together. After the transfer to the server, the server regenerate again, if the agreement is legal, otherwise it's not legitimate.

Guess you like

Origin www.cnblogs.com/rinack/p/11295508.html
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com