使用验证码提交跨（子）域 ajax 表单

发布于 2024-11-03 19:20:46 字数 1136 浏览 0 评论 0原文

我遇到了以下问题。前端网站 (www.domain.com) 用于填写属于后端 (backend.domain.com) 的表单。此表单受验证码保护，验证码的参考值保存在用户会话中（以 PHP 形式）。

提交应该是基于Ajax的，这会带来一些跨域的问题。因此，我在 www.domain.com 上编写了一个 PHP 代理。该代理请求后端的形式。当用户提交表单时，会向代理发出 Ajax 请求，代理会向后端发送验证请求并返回结果。

所有这些都工作得很好，除了在用户会话中保存引用的验证码之外。由于前端网站将表单提交给后端，因此后端将为前端使用会话。

解决这个问题的最佳方法是什么？我想出了两种方法。第一种是将验证码的引用包含在表单中（散列），这样就不需要会话。另一种方法是使用 iframe 直接从后端包含表单。第二种方法可能会很好用，但感觉真的很难看。对于这样的情况你有什么建议？

更新：描述情况的序列图：

Client                  www.domain.com   backend.domain.com
  |                            |                   |
  |-------visit site---------->|                   |
  |                            |-----get form----->|
  |                            |<----return form---|
  |<------return form----------|                   |
  |                            |                   |
  |-------submit form--------->|                   |
  |                            |-----submit form-->|
  |                            |<----send reply----|
  |<------captcha failed-------|                   |
  v                            v                   v

原文

I'm running into the following problem. A frontend website (www.domain.com) is used to fill in a form that belongs to the backend (backend.domain.com). This form is protected with a captcha, and the reference value for the captcha is saved in the user session (in PHP).

The submission should be Ajax based, which gives some problems with the cross domains. Therefore a wrote a little PHP proxy on www.domain.com. This proxy requests the form of the backend. When the user submits the form, an Ajax request is made to the proxy and the proxy sends a validation request to the backend and returns the result.

All of this works quite well, except for the captcha that saves the references in the user session. Since the frontend website submits the form to the backend, the backend will use a session for the frontend.

What would be the best way to fix this? I've came up with 2 methods. The first would be to include the reference of the captcha in the form (hashed), so that no sessions are needed. The other way would be to include the form directly from the backend, using an iframe. This second method will probably work fine, but it feels really ugly. What would you suggest for a situation like this?

Update: a sequence diagram describing the situation:

Client                  www.domain.com   backend.domain.com
  |                            |                   |
  |-------visit site---------->|                   |
  |                            |-----get form----->|
  |                            |<----return form---|
  |<------return form----------|                   |
  |                            |                   |
  |-------submit form--------->|                   |
  |                            |-----submit form-->|
  |                            |<----send reply----|
  |<------captcha failed-------|                   |
  v                            v                   v

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

旧梦荧光笔 2024-11-10 19:20:46

感觉像是 cookie（或会话编号）问题。为会话设置的 cookie 对 www 站点有效，但对后端站点无效。但是由于所有的通信都通过您的前端进行，您是否可以不使用前端站点来进行授权？

Client                  www.domain.com   backend.domain.com
  |                            |                   |
  |-------visit site---------->|                   |
  |                            |--get login form-->|
  |                            |<----return form---|
  |                            |set cookie         |
  |<-return login form+cookie--|                   |
  |                            |                   |
  |----submit login form------>|                   |
  |                            |-----submit form-->|
  |                            |                   |check cookie
  |                            |<----send reply----|
  |<------captcha failed-------|                   |
  v                            v                   v

www 站点必须设置 cookie，因为它正在与客户端通信，但后端会检查它 - 由于 cookie 是为不同的域设置的，后端无法访问它。解决方案：www应该读取cookie并将cookie数据转发给后端处理。

It feels like a cookie (or session number) problem. The cookie set for the session is valid for the www site, but not for the backend site. But since all of the communication goes via your front-end, could you not use the front-end site to do the authorisation?

Client                  www.domain.com   backend.domain.com
  |                            |                   |
  |-------visit site---------->|                   |
  |                            |--get login form-->|
  |                            |<----return form---|
  |                            |set cookie         |
  |<-return login form+cookie--|                   |
  |                            |                   |
  |----submit login form------>|                   |
  |                            |-----submit form-->|
  |                            |                   |check cookie
  |                            |<----send reply----|
  |<------captcha failed-------|                   |
  v                            v                   v

The www site must be setting the cookie since it's communicating with the client, but the backend checks it - as the cookie is set for a different domain, backend can't access it. Solution: www should read the cookie and forward the cookie data to backend for processing.

回复收藏 0 原文

~没有更多了~