开发者

Preventing forge HttpRequests

开发者 https://www.devze.com 2023-03-01 15:33 出处:网络
I\'ve been searching throughout the day to find a way to figure this out, but without sucess and I thought that maybe someone here could help ?

I've been searching throughout the day to find a way to figure this out, but without sucess and I thought that maybe someone here could help ? I am trying to use a secrete password in my .Js file but I can't write it directly in the file because every开发者_C百科one could see it when accessing the source code. e.g I need to send this password using ajax to another page to make sure that the HttpRequest is from my website not from another forge httprequest .

Is that possible because I've tried everything else like Authentication Forms but that didn't help.

I'm using asp.net and HttpHandler as the page that returns data .


What you can do is generate a key that is valid up to a set time using PHP like so:

$password = "some random string";
$key = md5($password . $_SERVER['REQUEST_TIME']) . "|" . $_SERVER['REQUEST_TIME'];

This way you know when the key was generated, and if it's been tampered with because:

function check($key) {
    list($hash, $timestamp) = explode("|", $key, 2);
    if ($hash !== md5($password . $key)) {
        throw new Exception("Naughty!");
    }
    if ($timestamp < $_SERVER['REQUEST_TIME'] < 60*60) {
        throw new Exception("too old");
    }
}

The down side is that people who don't refresh the page very often (in my example this is 1 hour) their key will expire.

Another issue is that your 'attacker' could technically first scrape a page to get a new key and use that, and scrape again when it expires and so on.

This solution works very good for protecting against hotlinking.


This is how it's done in MVC. Unfortunately, it doesn't look like the same security goodness has made it to WebForms (at least as far as I can tell).

0

精彩评论

暂无评论...
验证码 换一张
取 消