更正 HTML 状态代码以防止未经授权的访问和禁止的访问。 (使用阿贾克斯)

发布于 11-27 17:14 字数 2560 浏览 4 评论 0原文

我的PHP+JS+Ajax应用程序要求用户登录,然后将登录数据保存到$_SESSION。

用户分为三种类型:用户、主持人、管理员。每个人都比以前拥有更多的权利。

所有查询均针对 ajax_req.php 进行,

因为我想保证 ajax_req.php 的安全,所以我检查 $_SESSION 数据以确定用户是否已登录以及他/她属于哪个组。

其代码如下:

if(isset($_SESSION['logged'])) {
    if(isset($_SESSION['group_id'])) {
        $group_id=(int)$_SESSION['group_id'];

        if($group_id==ADMIN_GROUP) {
            $login_success=1;
        } else if ($group_id==MODERATOR_GROUP) {
            $login_success=1;
        } else if ($group_id==USER_GROUP) {
            $login_success=1;
        } else {
            $login_success=-1;
        }
    } else {
        $login_success=-1;
    }
} 

if($login_success<1) {
    header('HTTP/1.1 401 Unauthorized');
    $ret = array('status' => 'FALSE', 'txt' => 'Unauthorized access. Please check if You are still logged in.' );
    print json_encode($ret); 
    exit();
}

第一个问题:我这样做对吗?

第二个问题

我想保护我的应用程序不发出针对管理员的命令。

接下来,我有以下功能:

function assert_right($group_id, $needed) {
    if($group_id==ADMIN_GROUP) {
        return true; 
    } else if ($group_id==MODERATOR_GROUP) {
        if($needed==USER_GROUP || $needed==MODERATOR_GROUP) {
            return true; 
        }
    } else if ($group_id==USER_GROUP) {
        if($needed==USER_GROUP) {
            return true; 
        }
    } 

    header('HTTP/1.1 403 Forbidden');
    $ret = array('status' => 'FALSE', 'txt' => 'Unauthorized access. You do not have sufficient rights to do this action.' );
    print json_encode($ret); 
    exit();
}

在敏感操作之前,我调用

assert_right($_SESSION['group_id'], ADMIN_GROUP);

第二个问题: 在第一种情况下返回 401,在第二种情况下返回 403 是否正确?基本上,403 意味着“禁止”,根据 http://en.wikipedia.org/wiki/List_of_HTTP_status_codes 表示“该请求是合法请求,但服务器拒绝响应它。与 401 Unauthorized 响应不同,身份验证将没有什么区别。”我还检查了 https://dev.twitter.com/docs/error-codes-responses ,其给出为 answer到另一个问题。

对我来说,403 似乎是正确的,因为如果用户已经登录,那么他/她可能没有管理员帐户。更重要的是,用户永远不应该看到这个,除非我犯了编程错误或者用户破解了通过 Ajax 发送的数据。

还有一件事需要注意:用户不会看到 401 或 403 状态代码:Ajax 和 JavaScript 使用它们来显示适当的错误消息。如果收到 401,JavaScript 将显示文本:“您似乎尚未登录到服务器。请打开新窗口并登录以继续。登录后,请单击此处检查连接。”。如果收到 403,则显示文本:“看来您没有足够的权限来完成此操作。”。

我是否正确使用了这些错误代码?

My PHP+JS+Ajax application requires users to log in, then saves login data to $_SESSION.

There are three types of users: User, Moderator, Admin. Each has more rights than previous.

All queries are made to ajax_req.php

Because I want to keep the ajax_req.php secure, I check the $_SESSION data to determine if the user is logged in and in what group He/She belongs.

The code for this is following:

if(isset($_SESSION['logged'])) {
    if(isset($_SESSION['group_id'])) {
        $group_id=(int)$_SESSION['group_id'];

        if($group_id==ADMIN_GROUP) {
            $login_success=1;
        } else if ($group_id==MODERATOR_GROUP) {
            $login_success=1;
        } else if ($group_id==USER_GROUP) {
            $login_success=1;
        } else {
            $login_success=-1;
        }
    } else {
        $login_success=-1;
    }
} 

if($login_success<1) {
    header('HTTP/1.1 401 Unauthorized');
    $ret = array('status' => 'FALSE', 'txt' => 'Unauthorized access. Please check if You are still logged in.' );
    print json_encode($ret); 
    exit();
}

First question: Am I doing this right?

Second question

I want to protect my application from issuing commands meant for admins.

Next, I have following function:

function assert_right($group_id, $needed) {
    if($group_id==ADMIN_GROUP) {
        return true; 
    } else if ($group_id==MODERATOR_GROUP) {
        if($needed==USER_GROUP || $needed==MODERATOR_GROUP) {
            return true; 
        }
    } else if ($group_id==USER_GROUP) {
        if($needed==USER_GROUP) {
            return true; 
        }
    } 

    header('HTTP/1.1 403 Forbidden');
    $ret = array('status' => 'FALSE', 'txt' => 'Unauthorized access. You do not have sufficient rights to do this action.' );
    print json_encode($ret); 
    exit();
}

And before sensitive action I call

assert_right($_SESSION['group_id'], ADMIN_GROUP);

Second question: Is it correct to return 401 in the first case and 403 on the second? Basically, 403 means "Forbidden", which according to http://en.wikipedia.org/wiki/List_of_HTTP_status_codes means "The request was a legal request, but the server is refusing to respond to it. Unlike a 401 Unauthorized response, authenticating will make no difference.". I also checked https://dev.twitter.com/docs/error-codes-responses, which was given as answer to another question.

For me, 403 seems correct, because if user is already logged in, then He/She probably does not have admin account. What's more, user should never see this unless I have made programming error or user hacks data sent through Ajax.

One more thing to notice: user is not shown the 401 or 403 status codes: they are used by Ajax and JavaScript to show appropriate error messages. If 401 is received, JavaScript shows text: "It seems that You are not logged in to server. Please open up new window and log in to continue. After You have logged in, click here to check connection.". If 403 is received, text is shown: "It seems that You do not have sufficient rights to complete this operation.".

Am I using those error codes correctly?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

厌味2024-12-04 17:14:51

您的返回代码根本不重要,因为它是 AJAX 请求,因此您可以返回任何您想要的内容。返回错误代码,然后使用 JS 处理它,然后将消息返回给用户。示例用户点击删除按钮,他/她可能没有执行此操作的权限,因此您返回 json: status: error, type:permission。然后向用户显示属于该错误类型的消息。

您应该将 1 和 2 结合在一起。编写一个函数或类来检查它们的命令。示例:

$check = $session_check(USER_COMMAND);
if ($check) //has right
else //no right.

function session_check($command){
     $userCmdList = array(COMMAND_1,2,3,4);
     $modCmdList = array(COMMAND_2,3,4,5,6,7);
     switch ($_SESSION['group_id']){
          case "admin":
               return true;
               break;
          case "mod":
               if !in_array($command,$modCmdList) return false;
               else return true;
               break;
          case "user":
               if !in_array($command,$userCmdList) return false;
               else return true;
               break;
          default:
               break;
    }
}

还记得为每个会话使用唯一的哈希值,以防止会话 hjhack

P/S:这是遵循您当前工作流程的简单答案。其他改进的方法始终可用。

Your return code is not important at all, because it's AJAX request so you are able to return anything you want. You return error code then process it using JS then return message to user. Example user click on button delete, he/she may do not have permission to do this, so you return json: status: error, type: permission. Then display to user the message belong to this error type.

You should combine 1 and 2 together. Write a function or class to check their command. Example:

$check = $session_check(USER_COMMAND);
if ($check) //has right
else //no right.

function session_check($command){
     $userCmdList = array(COMMAND_1,2,3,4);
     $modCmdList = array(COMMAND_2,3,4,5,6,7);
     switch ($_SESSION['group_id']){
          case "admin":
               return true;
               break;
          case "mod":
               if !in_array($command,$modCmdList) return false;
               else return true;
               break;
          case "user":
               if !in_array($command,$userCmdList) return false;
               else return true;
               break;
          default:
               break;
    }
}

Also remember to use a unique hash for each session to prevent session hjhack

P/S: This is simple answer that follow your current work process. Other improved methods are always available.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文