防止伪造 HttpRequest

发布于 2024-11-03 19:18:12 字数 261 浏览 3 评论 0原文

我一整天都在寻找解决这个问题的方法,但没有成功,我想也许这里有人可以提供帮助? 我试图在 .Js 文件中使用秘密密码,但我无法将其直接写入文件中,因为每个人在访问源代码时都可以看到它。例如,我需要使用 ajax 将此密码发送到另一个页面,以确保 HttpRequest 来自我的网站而不是来自另一个伪造的 httprequest 。
这可能吗,因为我已经尝试了其他所有方法,例如身份验证表单,但这没有帮助。
我使用 asp.net 和 HttpHandler 作为返回 data 的页面。

I've been searching throughout the day to find a way to figure this out, but without sucess and I thought that maybe someone here could help ?
I am trying to use a secrete password in my .Js file but I can't write it directly in the file because everyone could see it when accessing the source code. e.g I need to send this password using ajax to another page to make sure that the HttpRequest is from my website not from another forge httprequest .
Is that possible because I've tried everything else like Authentication Forms but that didn't help.
I'm using asp.net and HttpHandler as the page that returns data .

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

爱要勇敢去追 2024-11-10 19:18:12

您可以做的是使用 PHP 生成一个在设定时间内有效的密钥,如下所示:

$password = "some random string";
$key = md5($password . $_SERVER['REQUEST_TIME']) . "|" . $_SERVER['REQUEST_TIME'];

这样您就知道密钥何时生成,以及它是否被篡改,因为:

function check($key) {
    list($hash, $timestamp) = explode("|", $key, 2);
    if ($hash !== md5($password . $key)) {
        throw new Exception("Naughty!");
    }
    if ($timestamp < $_SERVER['REQUEST_TIME'] < 60*60) {
        throw new Exception("too old");
    }
}

缺点是不刷新的人该页面经常(在我的示例中为 1 小时)他们的密钥会过期。

另一个问题是,从技术上讲,您的“攻击者”可以首先抓取页面以获取新密钥并使用它,然后在其过期时再次抓取,等等。

该解决方案对于防止盗链非常有效。

What you can do is generate a key that is valid up to a set time using PHP like so:

$password = "some random string";
$key = md5($password . $_SERVER['REQUEST_TIME']) . "|" . $_SERVER['REQUEST_TIME'];

This way you know when the key was generated, and if it's been tampered with because:

function check($key) {
    list($hash, $timestamp) = explode("|", $key, 2);
    if ($hash !== md5($password . $key)) {
        throw new Exception("Naughty!");
    }
    if ($timestamp < $_SERVER['REQUEST_TIME'] < 60*60) {
        throw new Exception("too old");
    }
}

The down side is that people who don't refresh the page very often (in my example this is 1 hour) their key will expire.

Another issue is that your 'attacker' could technically first scrape a page to get a new key and use that, and scrape again when it expires and so on.

This solution works very good for protecting against hotlinking.

雪落纷纷 2024-11-10 19:18:12

这就是它的完成方式在 MVC 中。不幸的是,WebForms 看起来并没有同样的安全性(至少据我所知)。

This is how it's done in MVC. Unfortunately, it doesn't look like the same security goodness has made it to WebForms (at least as far as I can tell).

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文