登录后我需要 csrf 令牌吗?
Do I need csrf tokens after login?
我正在构建一个简单的待办事项列表,用户将在其中登录(使用 csrf-token),然后能够将项目添加到待办事项列表。在用户已经登录后,我是否需要使用 AJAX(待办事项列表项)将 csrf_tokens 添加到提交中?我正在使用基于会话的身份验证。
好吧,我会说是的,你必须这样做,看看摘自 owasp(开放 Web 应用程序安全项目)文档的摘录:
When targeting a normal user, a successful CSRF attack can compromise
end-user data and their associated functions. If the targeted end user
is an administrator account, a CSRF attack can compromise the entire
Web application. The sites that are more likely to be attacked are
community Websites (social networking, email) or sites that have high
dollar value accounts associated with them (banks, stock brokerages,
bill pay services). This attack can happen even if the user is logged
into a Web site using strong encryption (HTTPS). Utilizing social
engineering, an attacker will embed malicious HTML or JavaScript code
into an email or Website to request a specific 'task url'. The task
then executes with or without the user's knowledge, either directly or
by utilizing a Cross-site Scripting flaw (ex: Samy MySpace Worm).
我正在构建一个简单的待办事项列表,用户将在其中登录(使用 csrf-token),然后能够将项目添加到待办事项列表。在用户已经登录后,我是否需要使用 AJAX(待办事项列表项)将 csrf_tokens 添加到提交中?我正在使用基于会话的身份验证。
好吧,我会说是的,你必须这样做,看看摘自 owasp(开放 Web 应用程序安全项目)文档的摘录:
When targeting a normal user, a successful CSRF attack can compromise end-user data and their associated functions. If the targeted end user is an administrator account, a CSRF attack can compromise the entire Web application. The sites that are more likely to be attacked are community Websites (social networking, email) or sites that have high dollar value accounts associated with them (banks, stock brokerages, bill pay services). This attack can happen even if the user is logged into a Web site using strong encryption (HTTPS). Utilizing social engineering, an attacker will embed malicious HTML or JavaScript code into an email or Website to request a specific 'task url'. The task then executes with or without the user's knowledge, either directly or by utilizing a Cross-site Scripting flaw (ex: Samy MySpace Worm).