由网友(只是,太过爱你。)分享简介:我正在写一个web应用程序将使得通过AJAX请求,并想锁定这些调用。经过一段时间的研究,我正在考虑使用某种形式的随机令牌(字符串)被传递回连同请求(GUID?)。这是我的算法的重要组成部分:I'm writing a web app that will be making requests via AJAX and...


I'm writing a web app that will be making requests via AJAX and would like to lock down those calls. After a little research, I am considering using some form of random token (string) to be passed back along with the request (GUID?). Here's the important parts of my algorithm:

分配令牌到JavaScript变量(服务器端生成)。 另外,存储,令牌在一个数据库,并给它一个有效的时间段(比如10分钟)。 如果令牌仍未被使用,是在它的有效时间窗口,允许呼叫。 在返回所需的信息,如果有效,否则,登录请求,并忽略它。

通过着眼于安全性,这是否有道理?对于令牌,将一个GUID的工作 - 它应该是别的东西吗?有没有在请求加密变量的好办法?

With an eye toward security, does this make sense? For the token, would a GUID work - should it be something else? Is there a good way to encrypt variables in the request?



I understand that these AJAX requests wouldn't be truly "secure" but I would like to add basic security in the sense that I would like to prevent others from using the service I intend to write. This random token would be a basic, front-line defense against abusive calls. The data that would be requested (and even submitted to generate such data) would is HIGHLY unlikely to be repeated.

也许我错了,在使用GUID ...怎么样一个随机生成的字符串(标记)?

Maybe I'm wrong in using a GUID... how about a randomly generated string (token)?



If you are doing this to trust code that you sent to the client browser, then change direction. You really don't want to trust user input, which includes calls from js that you sent to the browser. The logic on the server should be made so that nothing wrong can be done through there. That said, asp.net uses a signed field, you might want to go that way if absolutely necessary.

扩展一下: Asp.net篡改样张视图状态,它被作为一个HTML隐藏字段(取决于配置)。我相信有更好的联系作为参考,但至少它被提及在这一个:的 http://msdn.microsoft.com/en-us/library/ms998288.aspx

Expanding a bit: Asp.net tamper-proofs the viewstate, which is sent as a html hidden field (depending on the configuration). I am sure there are better links as reference, but at least it is mentioned on this one: http://msdn.microsoft.com/en-us/library/ms998288.aspx

验证。这指定的散列   算法用于产生HMACs到   使视图状态和形式   身份验证票证防篡改。   该属性还用于指定   用于加密算法   ViewState的加密。此属性   支持以下选项:

validation. This specifies the hashing algorithm used to generate HMACs to make ViewState and forms authentication tickets tamper proof. This attribute is also used to specify the encryption algorithm used for ViewState encryption. This attribute supports the following options:    SHA1-SHA1用于防篡改   ViewState的,如果配置后,   窗体身份验证票。当SHA1   被选择用于验证   属性,使用的算法是   HMACSHA1。    SHA1–SHA1 is used to tamper proof ViewState and, if configured, the forms authentication ticket. When SHA1 is selected for the validation attribute, the algorithm used is HMACSHA1.


更新2: 对于防篡改要签名的数据(不加密的话)。需要注意的是,一般使用加密技术时,你应该避免使用自定义实现或算法。至于步骤,我会坚持到:

Update 2: For tamper-proofing you want to sign the data (not encrypt it). Note that when using cryptography in general, you should really avoid using a custom implementation or algorithm. Regarding the steps, I would stick to:

分配令牌到JavaScript变量(服务器端生成)。 你有信息来确定的要求和确切日期和放大器,其发行时间。签名将验证服务器端应用程序发出的数据。的 在确定双的提交如果合适的话。


That said, the reason asp.net validates the viewstate by default, is because devs rely on info coming in there as being handled only by the application when they shouldn't. The same probably applies for your scenario, don't rely on this mechanism. If you want to evaluate whether someone can do something use authentication+authorization. If you want to know the ajax call is sending only valid options, validate them. Don't expose an API at granularity level than the one where you can appropriately authorize the actions. This mechanism is just an extra measure, in case something slipped, not a real protection.


Ps. with the HMACSHA1 above, you would instantiate it with a fixed key


