确定 PHP 中的 Referer
确定哪个页面发送或调用(通过 AJAX)当前页面的最可靠、最安全的方法是什么。 我不想使用 $_SERVER['HTTP_REFERER']
,因为(缺乏)可靠性,并且我需要调用的页面仅来自我网站上的请求。< br>
编辑:我希望验证是否从我网站上的页面调用了执行一系列操作的脚本。
What is the most reliable and secure way to determine what page either sent, or called (via AJAX), the current page. I don't want to use the $_SERVER['HTTP_REFERER']
, because of the (lack of) reliability, and I need the page being called to only come from requests originating on my site.
Edit: I am looking to verify that a script that preforms a series of actions is being called from a page on my website.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
REFERER 作为 HTTP 协议的一部分由客户端浏览器发送,因此确实不可靠。 它可能不存在,也可能是伪造的,如果出于安全原因,您就不能信任它。
如果您想验证请求是否来自您的网站,那么您不能,但您可以验证用户是否已访问您的网站和/或已通过身份验证。 Cookie 在 AJAX 请求中发送,因此您可以信赖它。
The REFERER is sent by the client's browser as part of the HTTP protocol, and is therefore unreliable indeed. It might not be there, it might be forged, you just can't trust it if it's for security reasons.
If you want to verify if a request is coming from your site, well you can't, but you can verify the user has been to your site and/or is authenticated. Cookies are sent in AJAX requests so you can rely on that.
我发现最好的是 CSRF 令牌,并将其保存在需要验证引荐来源网址的链接的会话中。
因此,如果您生成 FB 回调,那么它看起来会像这样:
然后,index.php 会看起来像这样:
我确实知道有一些安全站点会对其所有安全页面执行与此相同的操作。
What I have found best is a CSRF token and save it in the session for links where you need to verify the referrer.
So if you are generating a FB callback then it would look something like this:
Then the index.php will look like this:
I do know of secure sites that do the equivalent of this for all their secure pages.
使用 $_SERVER['HTTP_REFERER']
Using $_SERVER['HTTP_REFERER']
没有可靠的方法来检查这一点。 它真的是在客户的手下告诉你它来自哪里。 您可以想象使用仅放置在网站的某些页面上的 cookie 或会话信息,但这样做会破坏书签的用户体验。
There is no reliable way to check this. It's really under client's hand to tell you where it came from. You could imagine to use cookie or sessions informations put only on some pages of your website, but doing so your would break user experience with bookmarks.
阅读完所有虚假推荐人问题后,我们只剩下一个选择:
IE
我们希望作为引用者跟踪的页面应该保留在会话中,并且作为 ajax 调用,然后检查会话是否具有引用者页面值,并执行该操作,否则不执行任何操作。
另一方面,当他请求任何不同的页面时,则将引用者会话值设置为空。
请记住,会话变量仅在所需的页面请求上设置。
We have only single option left after reading all the fake referrer problems:
i.e.
The page we desire to track as referrer should be kept in session, and as ajax called then checking in session if it has referrer page value and doing the action other wise no action.
While on the other hand as he request any different page then make the referrer session value to null.
Remember that session variable is set on desire page request only.