小編給大家分享一下yii中csrf的驗(yàn)證機(jī)制,希望大家閱讀完這篇文章之后都有所收獲,下面讓我們一起去探討吧!
創(chuàng)新互聯(lián)建站秉承實(shí)現(xiàn)全網(wǎng)價(jià)值營(yíng)銷的理念,以專業(yè)定制企業(yè)官網(wǎng),成都網(wǎng)站制作、成都做網(wǎng)站、外貿(mào)營(yíng)銷網(wǎng)站建設(shè),小程序定制開發(fā),網(wǎng)頁(yè)設(shè)計(jì)制作,手機(jī)網(wǎng)站制作設(shè)計(jì),成都全網(wǎng)營(yíng)銷幫助傳統(tǒng)企業(yè)實(shí)現(xiàn)“互聯(lián)網(wǎng)+”轉(zhuǎn)型升級(jí)專業(yè)定制企業(yè)官網(wǎng),公司注重人才、技術(shù)和管理,匯聚了一批優(yōu)秀的互聯(lián)網(wǎng)技術(shù)人才,對(duì)客戶都以感恩的心態(tài)奉獻(xiàn)自己的專業(yè)和所長(zhǎng)。
跨站請(qǐng)求偽造(英語:Cross-site request forgery),也被稱為 one-click attack 或者 session riding,通??s寫為 CSRF 或者 XSRF, 是一種挾制用戶在當(dāng)前已登錄的Web應(yīng)用程序上執(zhí)行非本意的操作的攻擊方法。
跨站請(qǐng)求攻擊,簡(jiǎn)單地說,是攻擊者通過一些技術(shù)手段欺騙用戶的瀏覽器去訪問一個(gè)自己曾經(jīng)認(rèn)證過的網(wǎng)站并運(yùn)行一些操作(如發(fā)郵件,發(fā)消息,甚至財(cái)產(chǎn)操作如轉(zhuǎn)賬和購(gòu)買商品)。
由于瀏覽器曾經(jīng)認(rèn)證過,所以被訪問的網(wǎng)站會(huì)認(rèn)為是真正的用戶操作而去運(yùn)行。
這利用了web中用戶身份驗(yàn)證的一個(gè)漏洞:簡(jiǎn)單的身份驗(yàn)證只能保證請(qǐng)求發(fā)自某個(gè)用戶的瀏覽器,卻不能保證請(qǐng)求本身是用戶自愿發(fā)出的。
yii2的csrf,這里簡(jiǎn)單介紹一下它的驗(yàn)證機(jī)制。
取用于csrf驗(yàn)證的token值;判斷用于csrf的token是否存在,如果不存在則使用generateCsrfToken()生成。
驗(yàn)證web\Controller中的beforeAction()方法中有Yii::$app->getRequest()->validateCsrfToken()判斷,用于驗(yàn)證csrf。
一般我的認(rèn)識(shí)yii2的csrf都是從Yii::$app->request->getCsrfToken()開始;好的,我們就從getCsrfToken()說起。 此方法在yii\web\Request.php中:
/** * Returns the token used to perform CSRF validation. * 返回用于執(zhí)行CSRF驗(yàn)證的token * This token is a masked version of [[rawCsrfToken]] to prevent [BREACH attacks](http://breachattack.com/). * This token may be passed along via a hidden field of an HTML form or an HTTP header value * to support CSRF validation. * @param boolean $regenerate whether to regenerate CSRF token. When this parameter is true, each time * this method is called, a new CSRF token will be generated and persisted (in session or cookie). * @return string the token used to perform CSRF validation. */ public function getCsrfToken($regenerate = false) { if ($this->_csrfToken === null || $regenerate) { if ($regenerate || ($token = $this->loadCsrfToken()) === null) { //loadCsrfToken()就是在cookie或者session中獲取token值 $token = $this->generateCsrfToken(); //如果token為空則調(diào)用generateCsrfToken()去生成 } // the mask doesn't need to be very random $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-.'; $mask = substr(str_shuffle(str_repeat($chars, 5)), 0, static::CSRF_MASK_LENGTH); // The + sign may be decoded as blank space later, which will fail the validation $this->_csrfToken = str_replace('+', '.', base64_encode($mask . $this->xorTokens($token, $mask))); } return $this->_csrfToken; } /** * Loads the CSRF token from cookie or session. * @return string the CSRF token loaded from cookie or session. Null is returned if the cookie or session * does not have CSRF token. */ protected function loadCsrfToken() { if ($this->enableCsrfCookie) { return $this->getCookies()->getValue($this->csrfParam); //cookie中獲取csrf的token } else { return Yii::$app->getSession()->get($this->csrfParam); //session中獲取csrf的token } } /** * Creates a cookie with a randomly generated CSRF token. * Initial values specified in [[csrfCookie]] will be applied to the generated cookie. * @param string $token the CSRF token * @return Cookie the generated cookie * @see enableCsrfValidation */ protected function createCsrfCookie($token) { $options = $this->csrfCookie; $options['name'] = $this->csrfParam; $options['value'] = $token; return new Cookie($options); } /** * Generates an unmasked random token used to perform CSRF validation. * @return string the random token for CSRF validation. */ protected function generateCsrfToken() { $token = Yii::$app->getSecurity()->generateRandomString(); //生成隨機(jī)的安全字符串 if ($this->enableCsrfCookie) { $cookie = $this->createCsrfCookie($token); //createCsrfCookie()用于生成csrf的key=>value形式的token Yii::$app->getResponse()->getCookies()->add($cookie); //將生成key=>value保存到cookies } else { Yii::$app->getSession()->set($this->csrfParam, $token); //將csrf的token存在session中 } return $token; } /** * 每次調(diào)用控制器中的方法的時(shí)候都會(huì)調(diào)用下面的Yii::$app->getRequest()->validateCsrfToken()驗(yàn)證 * @inheritdoc */ public function beforeAction($action) { if (parent::beforeAction($action)) { if ($this->enableCsrfValidation && Yii::$app->getErrorHandler()->exception === null && !Yii::$app->getRequest()->validateCsrfToken()) { throw new BadRequestHttpException(Yii::t('yii', 'Unable to verify your data submission.')); } return true; } else { return false; } } /** * 校驗(yàn)方法 * Performs the CSRF validation. * * This method will validate the user-provided CSRF token by comparing it with the one stored in cookie or session. * This method is mainly called in [[Controller::beforeAction()]]. * * Note that the method will NOT perform CSRF validation if [[enableCsrfValidation]] is false or the HTTP method * is among GET, HEAD or OPTIONS. * * @param string $token the user-provided CSRF token to be validated. If null, the token will be retrieved from * the [[csrfParam]] POST field or HTTP header. * This parameter is available since version 2.0.4. * @return boolean whether CSRF token is valid. If [[enableCsrfValidation]] is false, this method will return true. */ public function validateCsrfToken($token = null) { $method = $this->getMethod(); // only validate CSRF token on non-"safe" methods http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1 if (!$this->enableCsrfValidation || in_array($method, ['GET', 'HEAD', 'OPTIONS'], true)) { return true; } $trueToken = $this->loadCsrfToken(); if ($token !== null) { return $this->validateCsrfTokenInternal($token, $trueToken); } else { return $this->validateCsrfTokenInternal($this->getBodyParam($this->csrfParam), $trueToken) || $this->validateCsrfTokenInternal($this->getCsrfTokenFromHeader(), $trueToken); //getCsrfTokenFromHeader()這個(gè)我也不太理解,還請(qǐng)指點(diǎn)一下 } } /** * @return string the CSRF token sent via [[CSRF_HEADER]] by browser. Null is returned if no such header is sent. */ public function getCsrfTokenFromHeader() { $key = 'HTTP_' . str_replace('-', '_', strtoupper(static::CSRF_HEADER)); return isset($_SERVER[$key]) ? $_SERVER[$key] : null; } /** * Validates CSRF token * * @param string $token * @param string $trueToken * @return boolean */ private function validateCsrfTokenInternal($token, $trueToken) { $token = base64_decode(str_replace('.', '+', $token)); //解碼從客戶端獲取的csrf的token $n = StringHelper::byteLength($token); if ($n <= static::CSRF_MASK_LENGTH) { return false; } $mask = StringHelper::byteSubstr($token, 0, static::CSRF_MASK_LENGTH); $token = StringHelper::byteSubstr($token, static::CSRF_MASK_LENGTH, $n - static::CSRF_MASK_LENGTH); $token = $this->xorTokens($mask, $token); return $token === $trueToken; //驗(yàn)證從客戶端獲取的csrf的token和真實(shí)的token是否相等 }
看完了這篇文章,相信你對(duì)“yii中csrf的驗(yàn)證機(jī)制”有了一定的了解,如果想了解更多相關(guān)知識(shí),歡迎關(guān)注創(chuàng)新互聯(lián)行業(yè)資訊頻道,感謝各位的閱讀!