如何可靠地检查对我的服务文件的请求是否来自我的网站?

发布于 2024-10-10 15:58:46 字数 629 浏览 2 评论 0原文

我有一个 service.php 类,用于为来自我的网站的 AJAX 调用提供服务。为了防止其他人使用 PHP CURL 访问服务,我通常会检查请求是否来自我的网站,如果不是,则重定向到我的主页,例如

if($_SERVER['HTTP_REFERER'] != "http://www.mysite.com"){
   header('location: http://www.mysite.com');
   exit;
}

我在 PHP 圣经中读到:

http://www.php.net/manual/en/保留.variables.server.php

那个

“并非所有用户代理都会设置此项,有些用户代理提供了修改 HTTP_REFERER 的功能。简而言之,它不能真正被信任。”

因此,如果这种方法不可靠,我的问题是如何可靠地检查对我的服务文件的请求是否来自我的网站?

感谢您提供的任何帮助!

I have a service.php class that I use to service AJAX calls from my website. To prevent other people accessing the service using PHP CURL I would normally check the request has come from mysite, and if they are not then just redirect to my home page e.g.

if($_SERVER['HTTP_REFERER'] != "http://www.mysite.com"){
   header('location: http://www.mysite.com');
   exit;
}

I read in the PHP holy bible:

http://www.php.net/manual/en/reserved.variables.server.php

that

"Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted."

So if this method is not reliable, my question is how can I reliably check that requests to my service file have come from my website?

Thanks for any help you can provide!

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

ら栖息 2024-10-17 15:58:46

您需要创建一个小的会话cookie,其中包括页面请求的时间、请求者的IP 和一些不时变化的秘密字符串(即有效期为一个小时左右)。 cookie 必须加密。现在,当进行 AJAX 调用时,您将检查 cookie、比较 IP、检查秘密字符串并采取相应措施。

但说实话,这会让黑客的任务变得更加复杂,但并非不可能。因此,您需要将 HTTPS 添加到等式中,即使如此,客户端计算机上的良好木马也可能会导致错误请求。但在大多数情况下,上述 + HTTPS 都会将攻击者赶走。

You need to create a small session cookie, which includes time of page request, IP of the requester and some secret string which changes from time to time (i.e. is valid for an hour or so). The cookie must be encrypted. Now when the AJAX call is made, you check the cookie, compare the IP, check the secret string and act accordingly.

But to say the truth, this will make hacker's task more complicated, but not impossible. So you'd need to add HTTPS to the equation, and even then a good troyan on client's computer would make false request possible. But for most scenarios the above + HTTPS would drive the attacker away.

勿忘初心 2024-10-17 15:58:46

我认为你不能轻易做到。您可以做的是让您自己的文件始终发布某种密码。假设您发送了一些数据(日期时间?),以及 “datetime+secretstring” 的哈希值,

因为只有您知道秘密字符串,所以只有您可以创建哈希值。使用接收到的日期时间在第二个文件中重新创建哈希,并检查发送的哈希是否正确。

来自其他站点的请求不会包含您的哈希值和日期时间,或者至少不会包含正确的哈希值和日期时间。

You can't easily I think. What you could do is make your own files always post some sort of passphrase. Say you sent some data (datetime?), and a hash of "datetime+secretstring"

As only you know the secretstring, only you can create the hash. Recreate the hash in your 2nd file using the received datetime, and check if the sent hash is correct.

Requests from other sites will not have your hash and datetime, or at least not the correct one.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文