当前位置: 文江博客话题详情

Codeigniter AJAX CSRF 保护

发布于 2024-12-24 20:44:29 字数 711 浏览 0 评论 0原文

我在后端使用 codeigniter 。

最近我听说了“CSRF”一词,并决定保护请求。

我网站上的几乎所有操作都是通过 Ajax 和 Ajax 进行的。有时我使用 DOM 操作创建/附加页面内容 [这里有疑问,我如何将 CSRF 令牌注入到视图文件中?]

好的,之后我如何验证它?

假设我将这些值添加为令牌并传递给服务器,那么我可以使用构造函数来检查&验证这一点?

例如:

Class Cl_Controller extends Ci_controller
{
  function __construct()
 {
    //loading libraries,models,helpers etc...

    if (isset($this->input->get_post("CSRF_TOKEN")) || _another_condition_)
    {
        // The CSRF TOKEN is invalid or null ,the action cannot be done...
    }
 }
 function register()
 {
  //some codes...
 } 
 function delete_user()
 {
   //some codes
 }
}

是否可以做一些链接此的事情?

请给我一些好的想法和建议通常的做法。

谢谢。

原文

I am using codeigniter on the backend .

Recently i heard about the term "CSRF" and decided to protect the requests.

Almost all actions on my site is through Ajax & some times i am creating/appending page content using DOM manipulation [here the doubt, how can i inject the CSRF token to the view files ?]

Okkey ,after that how can i validate that ?

Assume that i added these values as token and passed to server ,then can i use constructors to check & validate this ?

Ex :

Class Cl_Controller extends Ci_controller
{
  function __construct()
 {
    //loading libraries,models,helpers etc...

    if (isset($this->input->get_post("CSRF_TOKEN")) || _another_condition_)
    {
        // The CSRF TOKEN is invalid or null ,the action cannot be done...
    }
 }
 function register()
 {
  //some codes...
 } 
 function delete_user()
 {
   //some codes
 }
}

Is it possible to do some thing link this ?

Please suggest me some good ideas & usual practices.

Thank you.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

如何视而不见 2024-12-31 20:44:40

对于我的 ajax 调用,我通常执行两项检查;

使用一个小的帮助文件确保它是一个 ajax 请求。

<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');

if ( ! function_exists('ajax_check')) {
    /**
     * Check AJAX
     * 
     * Checks to see if you (or the royal I) are dealing with an AJAX call.
     * 
     * @return boolean
     */
    function ajax_check() {
        if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
            return TRUE;
        } else {
            show_404();
            return FALSE;
        }
    }
}

if ( ! function_exists('ajax_response')) {
    /**
     * JSON Response Wrapper
     * 
     * Wraps up any data nicely for sending back to an ajax call
     *
     * @return  string
     */
    function ajax_response($status, $data) {
        if (!is_array($data)) {
            $data = array();
        }
        // Set the JSON header appropriately
        header('Content-Type: application/json');
        // Echo out the array into json
        echo json_encode(array_merge(array('status' => $status), $data));
        exit;
    }
}

if ( ! function_exists('ajax_force_fail')) {
    /**
     * Force AJAX Failure
     * 
     * If you ever need to, force an AJAX to fail
     */
    function ajax_force_fail() {
        $_ci =& get_instance();
        $_ci->output->set_status_header(500);
    }
}

用法如下;

public function some_function() {
    $this->load->helper('ajax');
    ajax_check();

    try {
        // do something
        ajax_response('success', array('data' => $some_var));
    } catch (Exception $e) {
        ajax_response('failure', array('data' => $e->getMessage()));
    }
}

和 xsrf 类似的方法。
文件:

<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');

if ( ! function_exists('xsrf_get_token')) {
    /**
     * Get XSRF Token
     * 
     * Returns a token that exists for one request that verifies that
     * the action was executed by the person that requested it
     *
     * @return  string
     */
    function xsrf_get_token() {
        $ci =& get_instance();
        if ($ci->session->userdata('xsrf_hash')) {
            $token = $ci->session->userdata('xsrf_hash');
        } else {
            // Generate the token
            $token = sha1(microtime().$ci->uri->uri_string());
            // Set it in the session
            $ci->session->set_userdata('xsrf_hash', $token);
        }

        //Return it
        return $token;
    }
}

if ( ! function_exists('xsrf_get_token_field')) {
    /**
     * Get XSRF Token Field
     * 
     * Returns an xhtml form element to include xsrf token.
     * You can specify the id/name attribute of the input.
     * Has a dependancy to get_xsrf_token().
     *
     * @param   string  The id/name to be used
     * @return  string
     */
    function xsrf_get_token_field($name='auth_token') {
        return '<input type="hidden" id="'.$name.'" name="'.$name.'" value="' .xsrf_get_token(). '" />';
    }
}

if ( ! function_exists('xsrf_delete_token')) {
    /**
     * Delete XSRF Token
     * 
     * Deletes the xsrf token
     *
     * @return  boolean
     */
    function xsrf_delete_token() {
        $ci =& get_instance();
        if ($ci->session->userdata('xsrf_hash')) {
            $ci->session->unset_userdata('xsrf_hash');
            return TRUE;
        } else {
            return FALSE;
        }
    }
}

if ( ! function_exists('xsrf_check_token')) {
    /**
     * Get XSRF Token Field
     * 
     * Checks that the token is still valid, returns true if so. 
     * Deletes old token after valid or fail.
     * Has a dependacy to xsrf_delete_token()
     *
     * @param   string  The challenge token
     * @return  boolean
     */
    function xsrf_check_token($challenge_token) {
        // CI
        $ci =& get_instance();
        // Get the stored token
        $token = $ci->session->userdata('xsrf_hash');
        // Delete the old token
        xsrf_delete_token();
        // Returns if the token is the right token
        return ($token == $challenge_token);
    }
}

用法(控制器);

public function some_other_function() {
    $this->form_validation->set_rules('username', 'Username', 'required|callback_check_token');
    if($this->form_validation->run() == TRUE ) {
        // do something
    } else {
        // something else
    }
}

// callback function
public function check_token($val) {
    if (xsrf_check_token($val) == TRUE) {
        return TRUE;
    } else {
        $this->form_validation->set_message('check_token', 'Oops');
        return FALSE;
    }
}

在视野中;

<form action="" method="post">
    <?php echo xsrf_get_token_field(); ?>
    ...
</form>

For my ajax calls I usually perform two checks;

Make sure it is an ajax request, using a small helper file.

<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');

if ( ! function_exists('ajax_check')) {
    /**
     * Check AJAX
     * 
     * Checks to see if you (or the royal I) are dealing with an AJAX call.
     * 
     * @return boolean
     */
    function ajax_check() {
        if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
            return TRUE;
        } else {
            show_404();
            return FALSE;
        }
    }
}

if ( ! function_exists('ajax_response')) {
    /**
     * JSON Response Wrapper
     * 
     * Wraps up any data nicely for sending back to an ajax call
     *
     * @return  string
     */
    function ajax_response($status, $data) {
        if (!is_array($data)) {
            $data = array();
        }
        // Set the JSON header appropriately
        header('Content-Type: application/json');
        // Echo out the array into json
        echo json_encode(array_merge(array('status' => $status), $data));
        exit;
    }
}

if ( ! function_exists('ajax_force_fail')) {
    /**
     * Force AJAX Failure
     * 
     * If you ever need to, force an AJAX to fail
     */
    function ajax_force_fail() {
        $_ci =& get_instance();
        $_ci->output->set_status_header(500);
    }
}

Usage like;

public function some_function() {
    $this->load->helper('ajax');
    ajax_check();

    try {
        // do something
        ajax_response('success', array('data' => $some_var));
    } catch (Exception $e) {
        ajax_response('failure', array('data' => $e->getMessage()));
    }
}

And a similar approach to xsrf.
File:

<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');

if ( ! function_exists('xsrf_get_token')) {
    /**
     * Get XSRF Token
     * 
     * Returns a token that exists for one request that verifies that
     * the action was executed by the person that requested it
     *
     * @return  string
     */
    function xsrf_get_token() {
        $ci =& get_instance();
        if ($ci->session->userdata('xsrf_hash')) {
            $token = $ci->session->userdata('xsrf_hash');
        } else {
            // Generate the token
            $token = sha1(microtime().$ci->uri->uri_string());
            // Set it in the session
            $ci->session->set_userdata('xsrf_hash', $token);
        }

        //Return it
        return $token;
    }
}

if ( ! function_exists('xsrf_get_token_field')) {
    /**
     * Get XSRF Token Field
     * 
     * Returns an xhtml form element to include xsrf token.
     * You can specify the id/name attribute of the input.
     * Has a dependancy to get_xsrf_token().
     *
     * @param   string  The id/name to be used
     * @return  string
     */
    function xsrf_get_token_field($name='auth_token') {
        return '<input type="hidden" id="'.$name.'" name="'.$name.'" value="' .xsrf_get_token(). '" />';
    }
}

if ( ! function_exists('xsrf_delete_token')) {
    /**
     * Delete XSRF Token
     * 
     * Deletes the xsrf token
     *
     * @return  boolean
     */
    function xsrf_delete_token() {
        $ci =& get_instance();
        if ($ci->session->userdata('xsrf_hash')) {
            $ci->session->unset_userdata('xsrf_hash');
            return TRUE;
        } else {
            return FALSE;
        }
    }
}

if ( ! function_exists('xsrf_check_token')) {
    /**
     * Get XSRF Token Field
     * 
     * Checks that the token is still valid, returns true if so. 
     * Deletes old token after valid or fail.
     * Has a dependacy to xsrf_delete_token()
     *
     * @param   string  The challenge token
     * @return  boolean
     */
    function xsrf_check_token($challenge_token) {
        // CI
        $ci =& get_instance();
        // Get the stored token
        $token = $ci->session->userdata('xsrf_hash');
        // Delete the old token
        xsrf_delete_token();
        // Returns if the token is the right token
        return ($token == $challenge_token);
    }
}

Usage (controller);

public function some_other_function() {
    $this->form_validation->set_rules('username', 'Username', 'required|callback_check_token');
    if($this->form_validation->run() == TRUE ) {
        // do something
    } else {
        // something else
    }
}

// callback function
public function check_token($val) {
    if (xsrf_check_token($val) == TRUE) {
        return TRUE;
    } else {
        $this->form_validation->set_message('check_token', 'Oops');
        return FALSE;
    }
}

In view;

<form action="" method="post">
    <?php echo xsrf_get_token_field(); ?>
    ...
</form>
回复 原文
~没有更多了~

关于作者

我不在是我

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

卷耳

文章 0 评论 0

佚名

文章 0 评论 0

℉服软

文章 0 评论 0

qq_2gSKZM

文章 0 评论 0

凉宸

文章 0 评论 0

gyhjy

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文