保证请求来自本地服务器
我有一个经典的 ASP 页面向我的 ASP.net (c#) 页面“doSomething.ashx”发出 XMLHTTP 请求。它们都托管在同一服务器上。
如何保证请求来自本地服务器,阻止恶意用户访问doSomething.ashx页面并发出虚假请求?
编辑:
愚蠢的我忘记了我可以传递用户名+密码,但是会:
HttpContext.Current.Request.IsLocal
同样有效吗?或者这会受到有创意的黑客的影响吗?
I've got a classic ASP page making an XMLHTTP request to my ASP.net (c#) page, "doSomething.ashx". They are both hosted on the same server.
How can I guarantee that the request came from the local server, to stop malicious users visiting the doSomething.ashx page and making false requests?
Edit:
Stupid me forgot I could pass username + pw through, but will:
HttpContext.Current.Request.IsLocal
Work just as well? Or could this suffer from creative hackers?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
在 HttpRequest 对象中,有一个属性:
如果请求来自同一台机器,则该布尔值为 true!
MSDN 文档:
如果 IP 地址为请求发起者是127.0.0.1或者请求的IP地址与服务器的IP地址相同。
In the HttpRequest object, there is a property:
This boolean is true if the request has come from the same machine!
MSDN Docs:
The IsLocal property returns true if the IP address of the request originator is 127.0.0.1 or if the IP address of the request is the same as the server's IP address.
您将需要添加一些该请求/会话特有的令牌。
如果它刚刚经过身份验证,您可以保证它来自具有详细信息的人,但仍然可以从该用户那里“伪造”。
您可以检查所有“已知”令牌是否过期,或者使用基于会话的系统并检查其在请求处理程序中是否有效。
如果仅使用令牌。您需要在发送发出请求的页面时在服务器上生成它们,然后在处理请求本身时进行检查。
You will need to add some token that is unique to that request/session.
If it's just authenticated, you can guarantee that it came from someone with details but can still be "faked" from that user.
You can either check all "known" tokens with an expiry, or use a session based system and check it's valid in the request handler.
If using just tokens. you will need to generate them on the server when sending out the page that makes the request, and then checked when handling the request itself.
很简单,您验证请求。
Simple, you authenticate the request.