CSRF protection with javascript?
Can i protect from 开发者_运维百科CSRF by generating csrf token clien-side with javascript and setting from javascript cookie with this token and adding this token to post request?
server-side: check cookie[token] === post[token]
No, what is to stop an attacker from doing the same thing? The server needs to own one of the credentials.
I don't believe this would work. An attacker could just replicate your algorithm for generating the token and send in a valid value. You want to set the value on the server and ensure that the value can not be tampered with.
If you use PHP with JavaScript, then there is maybe a way to protect it, have a look at the OWASP CSRFGuard Project, but i had not a deep look on it, just found this
project implementing CSRFGuard style solution for PHP and JavaScript.
But really, i don't know if this is a safe implementation or not...
I know that some people on OWASP are working on getting the ESAPI ready for JavaScript (thats what Chris Schmidt ist talking about in this Video ) but I don't know how far they are at the moment, have a look at esapi.org
精彩评论