PHP会话令牌可以多次使用吗?
我得到了页面 A,它是一个普通的 HTML 页面,另一个页面是一个 AJAX 响应页面。我想防止通过令牌进行CSRF攻击。假设我将此方法用于自动完成表单,是否可以多次使用相同的令牌(当然会话仅设置一次),因为我厌倦了此方法,但在第一个建议后验证一直失败(显然令牌已已更改,以某种方式)
页面 A
<?php
session_start();
$token = md5(uniqid(rand(), TRUE));
$_SESSION['token'] = $token;
?>
<input id="token" value="<?php echo $token; ?>" type="hidden"></input>
<input id="autocomplete" placeholder="Type something"></input>
....
每次使用 Jquery 进行更改时都会自动提交表单。
B页
<?php
session_start();
if($_REQUEST['token'] == $_SESSION['token']){
echo 'Im working fine';
}
?>
I got page A which is a normal HTML page and page which is an AJAX response page. And I want to prevent CSRF attacks by tokens. Lets say I use this method for an autocomplete form, is it possible to use same token multiple times (of course the session is only set one time) because i tired this method but the validation keep failing after the first suggestion (obviously the token has changed, somehow)
page A
<?php
session_start();
$token = md5(uniqid(rand(), TRUE));
$_SESSION['token'] = $token;
?>
<input id="token" value="<?php echo $token; ?>" type="hidden"></input>
<input id="autocomplete" placeholder="Type something"></input>
....
The form is autosubmitted every time theres a change using Jquery.
page B
<?php
session_start();
if($_REQUEST['token'] == $_SESSION['token']){
echo 'Im working fine';
}
?>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
可以多次使用相同的令牌 - 只要 $_SESSION['token'] 保持不变。
每次调用页面 A 时,该令牌都会被覆盖。如果您想使用相同的令牌,您可能想尝试:
我也不会使用 $_REQUEST,因为这会使您的来源不明确 - 我会使用 $_POST 或 $_GET。
It would be possible to use the same token multiple times - as long as $_SESSION['token'] remains unchanged.
Every time page A is called - that token is getting overwritten. If you want to use the same token you may want to try:
I would also not use $_REQUEST as that leaves your source ambiguous - I would use either $_POST or $_GET.