1. 技术文章
  2. How does this CSRF protection work?

How does this CSRF protection work?

点点圈 提交于 2019-12-06 05:59:09

问题


The following is an example taken from Facebook's authentication page. What is the idea behind adding data to the session and then redirecting to a URL using javascript? Also why do an md5 hash of a uniqid?

<?php 

   $app_id = "YOUR_APP_ID";
   $app_secret = "YOUR_APP_SECRET";
   $my_url = "YOUR_URL";

   session_start();
   $code = $_REQUEST["code"];

   if(empty($code)) {
     $_SESSION['state'] = md5(uniqid(rand(), TRUE)); //CSRF protection
     $dialog_url = "http://www.facebook.com/dialog/oauth?client_id=" 
       . $app_id . "&redirect_uri=" . urlencode($my_url) . "&state="
       . $_SESSION['state'];

     echo("<script> top.location.href='" . $dialog_url . "'</script>");
   }

   if($_REQUEST['state'] == $_SESSION['state']) {
     $token_url = "https://graph.facebook.com/oauth/access_token?"
       . "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url)
       . "&client_secret=" . $app_secret . "&code=" . $code;

     $response = file_get_contents($token_url);
     $params = null;
     parse_str($response, $params);

     $graph_url = "https://graph.facebook.com/me?access_token=" 
       . $params['access_token'];

     $user = json_decode(file_get_contents($graph_url));
     echo("Hello " . $user->name);
   }
   else {
     echo("The state does not match. You may be a victim of CSRF.");
   }

 ?>

回答1:


I know this will probably get slated as it is a wikipedia link, but you can find a full explanation of csrf here http://en.wikipedia.org/wiki/Cross-site_request_forgery, once you fully understand what it is you will understand how having a unique token per user can protect against it. The prevention section lists using a per-user token as a method of prevention.




回答2:


It ensures that you are being redirected here only in response to an action initiated by the site. Read up on CSRF at https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29.




回答3:


By generating a hard (impossible) to guess value ans storing it in a session as well as sending it with a request, this script can verify if it was called by itself instead of somewhere else. somewhere else the hard to guess value would be unknwon and could thus not be supplied.



来源:https://stackoverflow.com/questions/6656097/how-does-this-csrf-protection-work

标签
php
security
csrf-protection
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!