Home > Cloud Computing > Cloud Security

Some problems to be aware of when deploying anti-CSRF Token

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Www.2cto.com: Previous Article

There are many methods to prevent CSRF attacks. Verification codes are used to prevent them.Random tokenWhen the user submits the token, check whether the token value is correct on the server side. If the token value is incorrect, the token is discarded. If the token value is correct, the token is verified.

(Because some people like to get a tip, we are used to distinguishingCSRFAndXSRFThe latter is inXSSIn this case, preventing CSRF and XSS are two sets of Defense solutions that need to be separated)

Because the protection principle of CSRF is to compare token, two tokens need to be used for comparison. One of them has been delivered to the user's return page, it is also a required parameter when a user submits a request.

Another token is generally stored in the server session. Of course, this will cause session dependencies, making it difficult to copy sessions during different services in a restful architecture environment, another way is to put the token in the cookie that saves the complete session.

JJYY only briefly describes the principle of anti-CSRF token. in actual application, this token is usually added to the form as a hidden field, or add it to some links.

Let's not discuss the implementation of the Framework,This token is most afraid of leakage.The reason why XSS invalidates this scheme is that XSS can read this token.

Therefore, when deploying CSRF token, you must note that you must add this token carefully on some pages,This token may be leaked due to other channels..


For example, one way to obtain a token isUse referer to read the token value contained in the url(Assume that the token has been added to the url ).

The simple implementation is inSimilar insite emailsInsert an image into the page:



In this wayHttp://www.bkjia.comIn webserverWeb logs, Which recordsReferer of the requestIf the addressExactly contains the token, The token will be leaked.



So the correct method is,Add the anti-CSRF Token to the form. When adding the anti-CSRF Token to the link as much as possible, all important operations are completed using form.. Note that do not add tokens to the URLs that display pages.

Author thorn

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More