如何给被视作为静态资源的spa加上csrf保护?

2016/12 01 09:12
此文章不得转载,如有需要请联系网站管理员。

一度的温暖,一百度的爱情,来自于bwin2299必赢亚洲的点点滴滴

近来我在运用react+react-router开辟spa,背景运用的是yii2nignx设置的是当404就前往index.html。但是如许子有个题目是,我没有办法运用csrf的维护,如许子要怎样处理呢?

我看到了一个网站运用的技艺栈和我的差未几,我看了它是在head标签下面写了一个含有token值的meta标签,而它的每一个央求都市将这个token作为header的值发归去。如许子要怎样做?要怎样将token值渲染到这个index.html外头?

ajax 提交的

$.ajax{
url: 你的url
type:依什么方法
dataType:数据范例
data :
headers:{X-CSRF-TOKEN: $meta[name="csrf-token"].attrcontent ? $meta[name="csrf-token"].attrcontent : },
beforeSend:functionmsg{
alert等待回调;
},
}

将输入部分放在header头里

<?php

// +----------------------------------------------------------------------
// | CSRF安全验证类 @pushaowei
// +----------------------------------------------------------------------
// | [Usage]
// |    // 后端
// |    use library\Base\NoCSRF;
// |    session_start;   
// |    if $this->getRequest->isPost {
// |            
// |        try {
// |            ##验证TOKEN  
// |            NoCSRF::check csrf_token, $_POST, true, 60*10, false ; //60*10为10分钟null为不验证工夫
// |            $result = CSRF check passed. Form parsed.;
// |            //$this->getRequest->getPostfield;
// |            echo $result;       
// |        } catch  Exception $e  {
// |            echo $e->getMessage .  Form ignored.; 
// |        }      
// |    } else {   
// |        #天生TOKEN  
// |        $token = NoCSRF::generate csrf_token ;
// |        $this->getView->assigntoken, $token;
// |        $this->getView->display页面;
// |    }
// |    // 前端
// |    <meta name="csrf-token" content="<?php echo library\Base\NoCSRF::generate csrf_token ;?>" />
// +----------------------------------------------------------------------

class NoCSRF
{
    protected static $doOriginCheck = false;
    /**
     * Check CSRF tokens match between session and $origin. 
     * Make sure you generated a token in the form before checking it.
     *
     * @param String $key The session and $origin key where to find the token.
     * @param Mixed $origin The object/associative array to retreive the token data from usually $_POST.
     * @param Boolean $throwException Facultative TRUE to throw exception on check fail, FALSE or default to return false.
     * @param Integer $timespan Facultative Makes the token expire after $timespan seconds. null = never
     * @param Boolean $multiple Facultative Makes the token reusable and not one-time. Useful for ajax-heavy requests.
     * 
     * @return Boolean Returns FALSE if a CSRF attack is detected, TRUE otherwise.
     */
    public static function check $key, $origin, $throwException=false, $timespan=null, $multiple=false 
    {
        $session = Session::getInstance;

        if  !$session->has csrf_ . $key  
            if$throwException
                throw new \Exception Missing CSRF session token. ;
            else
                return false;
            
        if  !isset $origin[ $key ]  
            if$throwException
                throw new \Exception Missing CSRF form token. ;
            else
                return false;

        // Get valid token from session
        $hash = $session->getcsrf_ . $key;
        
        // Free up session token for one-time CSRF token usage.
        if!$multiple
            $session->forgetcsrf_ . $key;

        // Origin checks
        if self::$doOriginCheck && sha1 $_SERVER[REMOTE_ADDR] . $_SERVER[HTTP_USER_AGENT]  != substr base64_decode $hash , 10, 40  
        {
            if$throwException
                throw new \Exception Form origin does not match token origin. ;
            else
                return false;
        }
        
        // Check if session token matches form token
        if  $origin[ $key ] != $hash 
            if$throwException
                throw new \Exception Invalid CSRF token. ;
            else
                return false;

        // Check for token expiration
        if  $timespan != null && is_int $timespan  && intval substr base64_decode $hash , 0, 10   + $timespan < time 
            if$throwException
                throw new \Exception CSRF token has expired. ;
            else
                return false;

        return true;
    }

    /**
     * Adds extra useragent and remote_addr checks to CSRF protections.
     */
    public static function enableOriginCheck
    {
        self::$doOriginCheck = true;
    }

    /**
     * CSRF token generation method. After generating the token, put it inside a hidden form field named $key.
     *
     * @param String $key The session key where the token will be stored. Will also be the name of the hidden field name
     * @return String The generated, base64 encoded token.
     */
    public static function generate $key 
    {
        $session = Session::getInstance;

        $extra = self::$doOriginCheck ? sha1 $_SERVER[REMOTE_ADDR] . $_SERVER[HTTP_USER_AGENT]  : ;
        // token generation basically base64_encode any random complex string, time is used for token expiration 
        $token = base64_encode time . $extra . self::randomString 32  ;
        // store the one-time token in session
        $session->putcsrf_ . $key, $token;

        return $token;
    }

    /**
     * Generates a random string of given $length.
     *
     * @param Integer $length The string length.
     * @return String The randomly generated string.
     */
    protected static function randomString $length 
    {
        $seed = ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijqlmnopqrtsuvwxyz0123456789;
        $max = strlen $seed  - 1;

        $string = ;
        for  $i = 0; $i < $length; ++$i 
            $string .= $seed{intval mt_rand 0.0, $max  };

        return $string;
    }

}
?>

(看完/读完)这篇文章有何感想! 来看看bwin2299必赢亚洲是怎么评论的吧!

--转载请注明: bwin2299必赢亚洲_www.bwin2299.com_bwin2299必赢亚洲世界顶级公司 » 如何给被视作为静态资源的spa加上csrf保护?

发表评论

(必填)