发表新帖
发表新帖

CSRF token generation

前端 未结
关注
9 906
清酒与你
清酒与你 2020-12-07 09:58

This is a question about generating CSRF tokens.

Usually I\'d like to generate a token based off of a unique piece of data associated with the user\'s session, and h

相关标签:
9条回答
  • 孤城傲影
    2020-12-07 10:50

    CSRF utilizes the user's session, so, if you don't have one, there is no CSRF.

    0 讨论(0)
  • 离开以前
    2020-12-07 10:51

    There are multiple implementation of CSRF token. The key thing is whether this csrf token is generated on the client side or server side. Because the implementation changes drastically for these two scenarios and the entropy of the token as well.

    For server side, SecureRandom is the preferred way but in your case you want to generate the CSRF token before any user is identified, window.crypto provides this functionality where you can generate a unguessable enough string to be used for CSRF token.

    0 讨论(0)
  • 既然无缘
    2020-12-07 10:52

    Try base64_encode(openssl_random_pseudo_bytes(16)). https://github.com/codeguy/php-the-right-way/issues/272#issuecomment-18688498 and I used it for my form example in https://gist.github.com/mikaelz/5668195

    0 讨论(0)
 看不清?
提交回复
热议问题