<span id="Label3"></p><p><p>Reference: http://blog.csdn.net/sum_rain/article/details/37085771</p></p><p><p></p></p><p><p>token, The most important feature of tokens, is randomness, unpredictable. General hackers or software can not guess Out.</p></p><p><p>so, What does token do? What is the principle of it?</p></p><p><p>Tokens are generally used in two places:</p></p> <ul> <ul> <li>1) prevent duplicate submissions of forms,</li> <li>2) anti CSRF attack (cross-site request forgery).</li> </ul> </ul><p><p>Both are based on the principle of the session token to Achieve. When the client requests the page, the server generates a random number token, puts the token into the session, and then sends the token to the client (typically by constructing the hidden form). The next time the client submits the request, token is submitted to the server side as a single table.<br>then, if applied to the "anti csrf attack", the server side validates the token value and determines if it is equal to the token value in the session, and if it is equal, it can prove that the request is valid, not Forged.<br>however, If you apply the "prevent form repeat commit", after the server side first authentication is the same, the token value in session will be updated, if the user repeats the submission, the second validation judgment will fail because the token in the user submitted form has not changed, But token has changed in the Server-side Session.</p></p><p><p>The above session application is relatively safe, but also called cumbersome, and when multi-page multi-request, must use Multi-token simultaneous generation method, so that the use of more resources, execution efficiency will be reduced. therefore, cookies can also be used to store authentication information in place of Session Tokens. For example, when a "duplicate commit" is submitted, the information that has been submitted is written to the cookie after the first commit, and when the second commit, the second commit fails because the cookie already has a record of its submission.<br>however, Cookie Storage has a fatal weakness, and if a cookie is hijacked (an XSS attack can easily get a user cookie), then again gameover. Hackers will directly implement CSRF Attacks.</p></p><p><p>so, Safe and efficient Relative. Specific questions to deal with it.</p></p><p><p></p></p><p><p>In addition, in order to avoid "token but do not check" situation, added token in the session, but the service side did not verify token, there is no preventive role.</p></p><p><p>Also note that the database has changed the addition and deletion of the operation, need to add token verification, for the query operation, must not add token, to prevent the attacker through the query operation to obtain tokens for CSRF Attack. however, It is not possible for an attacker to gain token, only to increase the cost of the ATTACK.</p></p><p><p>Token authentication for Web security</p></p></span>
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
