可以使用会话 cookie 替代 CSRF 吗?

huangapple
go评论60阅读模式
英文:

can I use session cookie instead of csrf?

问题

我一直在阅读有关 CSRF 的内容,并尝试使用 Go 和 Gorilla Toolkit 实现它。我还在使用 Gorilla Sessions,我已经实现了将用户 ID 存储在加密 cookie 中。

通过一个我编写的中间件,我解密 cookie 并使用现在未加密的键值存储从数据库中获取用户信息...

如果用户通过 OAuth2 提供程序进行身份验证创建会话 cookie,那么如果所有需要此保护的视图只允许经过身份验证的用户访问,我是否需要实现 CSRF 保护呢?

英文:

I have been reading about csrf and fiddliN around with implementing it using go and gorilla toolkit. I am also using gorilla sessions which i have implemented to store a user id in an encrypted cookie.

the cookie is decrypted and i fetch the user from the db with the now unencrypted key-value store using a middleware I wrote...

if the user is creating the session cookie from authentication through an oauth2 provider, do i have any need to implement csrf protection if all the views that need such protection are only allowed to authed users anyway?

答案1

得分: 4

假设一个用户已经登录到你的网站,并在同一个会话中继续浏览互联网。他们偶然发现另一个网站正在恶意地针对你的网站,使用HTML或JS代码导致用户的浏览器向你的网站的一个端点发送请求。该请求将包含用户在你的域中的会话cookie,并且如果没有受到CSRF令牌的保护,请求将成功。

英文:

Suppose a user has logged into your site, and has continued to browse the Internet in the same session. They stumble across another site which is maliciously targeting yours, with HTML or JS that causes the user's browser to make a request to an endpoint on your site. This will contain the user's session cookie for your domain, and succeed unless protected by a CSRF token.

huangapple
  • 本文由 发表于 2017年3月15日 13:19:20
  • 转载请务必保留本文链接:https://go.coder-hub.com/42801631.html
  • cookies
  • csrf
  • csrf-protection
  • go
  • session-cookies
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定