英文:
can I use session cookie instead of csrf?
问题
我一直在阅读有关 CSRF 的内容,并尝试使用 Go 和 Gorilla Toolkit 实现它。我还在使用 Gorilla Sessions,我已经实现了将用户 ID 存储在加密 cookie 中。
通过一个我编写的中间件,我解密 cookie 并使用现在未加密的键值存储从数据库中获取用户信息...
如果用户通过 OAuth2 提供程序进行身份验证创建会话 cookie,那么如果所有需要此保护的视图只允许经过身份验证的用户访问,我是否需要实现 CSRF 保护呢?
英文:
I have been reading about csrf and fiddliN around with implementing it using go and gorilla toolkit. I am also using gorilla sessions which i have implemented to store a user id in an encrypted cookie.
the cookie is decrypted and i fetch the user from the db with the now unencrypted key-value store using a middleware I wrote...
if the user is creating the session cookie from authentication through an oauth2 provider, do i have any need to implement csrf protection if all the views that need such protection are only allowed to authed users anyway?
答案1
得分: 4
假设一个用户已经登录到你的网站,并在同一个会话中继续浏览互联网。他们偶然发现另一个网站正在恶意地针对你的网站,使用HTML或JS代码导致用户的浏览器向你的网站的一个端点发送请求。该请求将包含用户在你的域中的会话cookie,并且如果没有受到CSRF令牌的保护,请求将成功。
英文:
Suppose a user has logged into your site, and has continued to browse the Internet in the same session. They stumble across another site which is maliciously targeting yours, with HTML or JS that causes the user's browser to make a request to an endpoint on your site. This will contain the user's session cookie for your domain, and succeed unless protected by a CSRF token.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论