问题描述

如果我想保护我的网站和用户免受跨站伪造（CSRF）攻击，则可以生成一个唯一的令牌 $ token = md5（time（）* rand）; 每个页面上有表格的。令牌是在隐藏的输入字段中提交的。 echo'< input type = hidden name = token value ='。$ token。'>';; 并同时存储在会话变量 $ _ SESSION ['token'] = $ token; 中。

If I want to protect my site and users from Cross Site Forgery (CSRF) attacks, I can generate a unique token $token = md5( time() * rand ); on every page that has a form. The token is is submitted in a hidden input field echo '<input type="hidden" name="token" value="'.$token.'">'; and at the same time stored in a session variable $_SESSION['token'] = $token;.

我将检查是否以任何提交的格式 if（$ _ POST ['token'] == $ _SESSION ['token']）并继续进行操作。

I will check if on any submitted form if($_POST['token'] == $_SESSION['token']) and proceed accordingly.

但是有些用户可能会执行多任务。这是我现在在发布此消息时实际上正在做的事情。

However some users may multitask. Which is something that I am actually doing right now, while I am posting this.

在撰写我的文章时，我打开不同的窗口/选项卡来研究信息或查看堆栈溢出的其他问题。堆栈溢出使我可以毫无问题地提交表单。

While composing my post I open different windows / tabs to possibly research information or look at some other questions on stack overflow. Stack overflow lets me submit the form with no problems.

但是如果我要在自己的网站上执行此操作-意味着在浏览其他页面的同时仍撰写帖子/表格-我的 $ token 。在我正在处理的表单上进行隐藏的 input 令牌，最终要提交不正确，因为它与不匹配$ _SESSION ['token'] 变量，当我访问其他页面时已重新生成...

But if I were to do that on my site doing this - meaning browse other pages while still composing a post/form - my $token would be regenerated each time I pull up a different page from my website. Making the hidden input token on the form I am working on and eventually want to submit incorrect, because it wont match the $_SESSION['token'] variable anymore, which has been regenerated when I visited a different page...

任何好的想法如何预防此问题，或者有什么更好的解决方案来停止CSRF？

我想允许我的用户执行多项任务，并且希望可以免受CSRF的攻击...

I want to allow my users to multi task AND want to be protected against CSRF...

推荐答案

由于CSRF单一，我的陈述也遇到了同样的问题，除非他们提交最新的页面，否则将替换为，但是如果您使用带有会话的数组，它应该可以解决您的问题。另外，您可能想包括一个验证码，我建议使用Google的Recaptcha。

I've had the same problem with what you state because of single CSRF and it gets replaced unless they submit the latest page, but if you use a array w/session it should solve your problem(s). Also you might want to include a captcha, I'd recommend Google's Recaptcha.

session_start();
function createToken(){
    $token = sha1(uniqid(mt_rand(), true));
    $_SESSION['Tokens']['Token'][] = $token;
    $_SESSION['Tokens']['Time'][] = time() + (10 * 60); #10 min limit
    #you can omit/change this if you want to not limit or extend time limit
    return $token;
}

function checkToken($token){
    clearTokens();
    foreach($_SESSION['Tokens']['Token'] as $key => $value){
        if($value === $token){
            return true;
        }
    }
    return false;
}

function clearTokens(){
    foreach($_SESSION['Tokens']['Time'] as $key => $value){
        if($value <= time()){
            unset($_SESSION['Tokens']['Token'][$key], $_SESSION['Tokens']['Time'][$key]);
            #remove last parameter if you aren't using token time limit
        }
    }
}

您的HTML：

<input type="hidden" name="token" value="<?php createToken(); ?>">

PHP令牌检查器

if(isset($_POST['token']) && checkToken($_POST['token'])){
    #valid token
}else{
    #create error message saying that they tried to repost data or session token expired
}