You may is no stranger to prevent CSRF attacks token method, according to my understanding, the process should be as follows:
1. The browser side (client) to log in a website, such as: www.myweb.com/index.asp, and through authentication specific process (omitted),
2. The WebServer (server) to generate a called: myToken="12345678" token, and sent to the client,
3. The client to save more than token, in local cookies,
4. In the subsequent access to the server client request, take more than token parameters, concrete, can put the token as a URL parameter, like: www.myweb.com/index.asp? Id=xxx& MyToken=12345678; Or is the token in the form of HTTP headers to send,
My question is: the client, the browser, how to do step 4 above, namely: the client how to get one from cookies (myToken as those listed above), and put it as a parameter (or in the HTTP headers), and then sent to the server? Don't know whether I should write specific code to realize the corresponding function? Thank you very much!
CodePudding user response:
Login send back account password verification, validation token by returning to you
CodePudding user response:
Cookies automatically to the back-end let his stuff in the cookies to take it
CodePudding user response:
refer to the second floor nian_cj response: cookies automatically to the back-end let his stuff in the cookies just take Don't you look at my question, how is the token via HTTP header parameter or to server alone, rather than cookies automatically upload, upload automatically by the cookies, can not prevent CSRF attacks, CodePudding user response:
reference 1 floor console. The log () response: send the background when login account password verification, validation by returning to your token Don't you look at my question, I ask how is not the server returned token, but how the client end through HTTP header parameter or sent to the server. CodePudding user response:
reference 4 floor sealdh response: Quote: reference 1 floor console. The log () response: Login backstage send password verification, validation by returning to your token Don't you look at my question, I ask how is not the server returned token, but how the client end through HTTP header parameter or sent to the server. Add a request to intercept CodePudding user response:
reference 4 floor sealdh response: Quote: reference 1 floor console. The log () response: Login backstage send password verification, validation by returning to your token Don't you look at my question, I ask how is not the server returned token, but how the client end through HTTP header parameter or sent to the server. Or packaging requests to directly request header CodePudding user response:
MyToken="12345678" Pass this to the server, there are three ways of 1. The first one is to directly read cookies, request. Cookies (" save local cookies filename) 2. Address field parameters, such as your access addnews. This page, asp addnews. Asp? MyToken=12345678, this page will be through the request (" myToken ") for 3. Pass in the form, put a hidden form field & lt; Input type="hidden" name="myToken" value="https://bbs.csdn.net/topics/12345678" & gt; , CodePudding user response: refer to 7th floor ah well response: myToken="12345678" Pass this to the server, there are three ways of 1. The first one is to directly read cookies, request. Cookies (" save local cookies filename) 2. Address field parameters, such as your access addnews. This page, asp addnews. Asp? MyToken=12345678, this page will be through the request (" myToken ") for 3. Pass in the form, put a hidden form field & lt; Input type="hidden" name="myToken" value="https://bbs.csdn.net/topics/12345678" & gt; , I'm not sure if this is I want to answer, but our question is: the client, the browser side, is how to generate the URL with token, such as: the client in a follow-up visit, will visit: addnews. Asp? MyToken=12345678, the site, then my question is: is how to generate the web site? Especially the part of the token? My problem is the client to the server to send with a token URL is how to generate, rather than after the server receives the URL, how to parse the URL, CodePudding user response:
The server to obtain these values can also be a separate written into a file, include the head from the each page refer to the eighth floor sealdh response: Quote: refer to 7th floor ah well response: MyToken="12345678" Pass this to the server, there are three ways of 1. The first one is to directly read cookies, request. Cookies (" save local cookies filename) 2. Address field parameters, such as your access addnews. This page, asp addnews. Asp? MyToken=12345678, this page will be through the request (" myToken ") for 3. Pass in the form, put a hidden form field & lt; Input type="hidden" name="myToken" value="https://bbs.csdn.net/topics/12345678" & gt; , I'm not sure if this is I want to answer, but our question is: the client, the browser side, is how to generate the URL with token, such as: the client in a follow-up visit, will visit: addnews. Asp? MyToken=12345678, the site, then my question is: is how to generate the web site? Especially the part of the token? My problem is the client to the server to send with a token URL is how to generate, rather than after the server receives the URL, how to parse the URL, MyToken=12345678 Specific how to generate this value, should be kept secret things, only you know of, Of course, you can do this, take the current user name + current date + security code (specific set itself, such as the AX @ 123 _1), such as user name is iamxx, today is the 2020-5-15 , combination should be a string of characters like this: iamxx20200515AX @ 123 _1, when the string is generated, waiting for your user name and password authentication by generating, can be saved to the database, also according to the combination way to generate the client, and then passed on the address bar in the past, to compare the values stored in the database, consistent explanation is safe, This encrypted string actually use need, of course, but who can see, Many encryption methods, MD5 and DES, AES, SHA1, RSA, you choose a, For example myToken=iamxx20200515AX @ 123 _1, iamxx20200515AX @ 123 _1 after sha1 encryption is: myToken=a7e82df8b06172950243d8aa2064ac3c2478230f, so who all don't know how do you generate, your client also sha1 encryption, the client and server should be the same, can determine whether safety, CodePudding user response:
If login is used, the string combination can contain the user name, determine which user initiated the request, if only to prevent legal way, can put the domain name contained in that set by the normal access address should be able to generate your encrypted string, illegally logged should don't know your encrypted string, so judgment is not legal, if it doesn't break your encryption method, you can put the combination of encryption security code more complex and special characters, do the API interface, the encryption measures authorized by you to come over, verification through legal, using not illegal, CodePudding user response:
1. The token in the cookie in the browser visit next time will automatically bring don't need to write one line of code, 2. Send the token in the URL or this must need to write javascript code in the Header, such as ajax Can set the headers sent, nullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnull