Facebook Auth 和 CSRF 机制
我目前正在使用 Facebook 身份验证构建一个网站。我在本地运行并不断收到 CSRF 错误。我试图了解他们的 CSRF 保护机制:
$code = $_REQUEST["code"];
$_SESSION['state']= $_REQUEST['state'];//GETS SITE WORKING BUT UNSAFE!!!///
if(empty($code)) {
$_SESSION['state'] = md5(uniqid(rand(), TRUE)); //CSRF protection
$dialog_url = "http://www.facebook.com/dialog/oauth?client_id="
. $app_id . "&redirect_uri=" . urlencode($my_url) . "&state="
. $_SESSION['state'];
echo("<script> top.location.href='" . $dialog_url . "'</script>");
}
if($_REQUEST['state'] == $_SESSION['state']) {
发生的情况是,似乎我的 $_REQUEST['state'] 已设置,但我的 $_SESSION['state'] 未设置。因此,为了让它工作,我有一条线将两者设置为相等。我的 $code 变量似乎永远不会为空,因此永远不会设置新的 $_SESSION['state' 变量。
首先 $_REQUEST['code'] 的作用是什么?这个变量从哪里来/设置?
有什么想法如何用我的不安全代码行解决这个问题吗?
ps 我知道我应该使用 FB sdk,但我正在学习网页设计/安全,所以这是一个很好的练习来学习它是如何工作的!
非常感谢 Sam
对于任何感兴趣的人,我已经弄清楚了它是如何工作的,但仍然没有解决我的问题...无论如何,
CSFR 保护系统通过在 $_SESSION 中的服务器端保存状态“ID”来工作['state'],相同的 ID 也保存在 $_REQUEST['state'] 内,所以在客户端。因此,这意味着如果发生 CSRF 攻击,CSRF 攻击(客户端)的状态值将与 $_SESSION['state'] 的状态值不匹配,因此代码不会继续执行,攻击也会被阻止。
如果我错了请纠正我!
I am currently building a website using facebook authentication. I am running locally and keep getting CSRF errors. I am trying to understand their CSRF protection mechanism:
$code = $_REQUEST["code"];
$_SESSION['state']= $_REQUEST['state'];//GETS SITE WORKING BUT UNSAFE!!!///
if(empty($code)) {
$_SESSION['state'] = md5(uniqid(rand(), TRUE)); //CSRF protection
$dialog_url = "http://www.facebook.com/dialog/oauth?client_id="
. $app_id . "&redirect_uri=" . urlencode($my_url) . "&state="
. $_SESSION['state'];
echo("<script> top.location.href='" . $dialog_url . "'</script>");
}
if($_REQUEST['state'] == $_SESSION['state']) {
What happens is that it seems my $_REQUEST['state'] is set but my $_SESSION['state'] is not. Hence to get it working i have the line which sets both equal. My $code variable never seems to be empty hence a new $_SESSION['state' variable is never set.
Firstly what is the role of $_REQUEST['code'] and where does this/is this variable come from/set?
Any ideas how to fix this with my unsafe line of code?
p.s I know I should use the FB sdk, but am learning web design/security so this is a good exercise to learn how it works!!
Many Thanks Sam
To anybody who is interested, I have worked out how it works, but still haven't fixed my problem...Anyway
The CSFR protection system works by saving a State 'ID' on the server-side in the $_SESSION['state'], the same ID is saved also inside the $_REQUEST['state'] , so on the client side. This therefore means if a CSRF attack occurs, the state value of the CSRF attack (client side) won't match that of $_SESSION['state'] hence the code does not proceed and the attack is prevented.
Please correct me if I am wrong!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您的描述基本上是正确的,重定向回您的网站时网址中的状态值 ($_REQUEST['state']) 应与首次重定向到 Facebook 时分配的状态值(存储在 $_SESSION['state '])。如果它们不匹配,则表明发生了某种“操纵”,您不应继续。
但您还说 $_SESSION['state'] 没有被设置,因为 $code 永远不会为空。如果是这样的话,那么重定向到 Facebook 是如何发生的呢?
似乎更有可能会话值一般不会被保留。这是您网站中唯一使用会话的地方吗?
请注意,如果出现问题,您不必使用会话。如果您设置了数据库,则可以同样轻松地使用它。或者,您可以完全避免本地存储,只要您想出一种方法来合理地确定您收到的状态值实际上是由您的代码作为预期序列的一部分创建的。例如,您可以将状态值设置为当前时间戳与时间戳的 md5 加上秘密字符串连接。当状态值返回时,首先检查时间戳部分以确保它是在最后一两分钟内创建的,然后检查 md5 以确保它不是由其他人创建的。这样你就拥有了一个简单的令牌,无法提前猜测并且无法重复使用,这是预防 CSRF 的两个基本要求。
Your description is essentially correct, the state value that is in the url when redirected back to your site ($_REQUEST['state']) should match the state value that was assigned when first redirecting to Facebook (stored in $_SESSION['state']). If they do not match, some "manipulation" has occurred and you should not proceed.
But you also said that $_SESSION['state'] was not being set because $code is never empty. If that is the case, then how is the redirect to Facebook ever occuring?
It seems more likely that session values are not being retained in general. Is this the only place in your site that you use sessions?
Note that you don't have to use a session if that is problematic. If you have a database set up, you can use that just as easily. Or you can avoid local storage completely, as long as you conceive a way to be reasonably sure that the state value you receive was actually created by your code as part of the intended sequence. For example, you might set the state value to the current timestamp concatenated with an md5 of the timestamp plus a secret string. When the state value comes back, first check the timestamp portion to ensure it was created within the last minute or two, and then check the md5 to make sure it wasn't created by someone else. That way you have a simple token that can't be guessed in advance and can't be re-used, the two basic requirements for CSRF prevention.