开发者

What should I do in case of a cross site request forgery attack?

I’m trying to prevent CSRF attacks. I’ve stored a random value in the session and in the form. When processing the form, I compare the two values. If the session and开发者_StackOverflow the form value aren’t equal, should I kill the script or is there a better way to handle this?


If this is very unlikely to happen from a real user, then I would prevent the script from saving/returning any data, but I would return a 'success' message as if it had worked. If you return a failure, it helps hackers to work out how your validation is coded.

On the other hand, if this happens to real users, I would return a friendly error, and possibly ask them to log in again.


Yes. Just let it fail. There is no point in recovering such errors.

What you should do however is also write a log entry to audit potential exploit attempts:

syslog(LOG_ERR, "CSRF token mismatch ...");
die("Request failed. (Disabled cookies?) Contact administrator: ...");

Include a humd-readable message in case it was really a browser error or something. But don't expose that it was the CSRF token that failed.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜