Tema: Prazan $_SERVER['HTTP_REFERER']
Pogledajte određenu poruku
Staro 09. 11. 2005.   #8
Petar Marić
Python Ambassador
Master
 
Avatar Petar Marić
 
Datum učlanjenja: 06.06.2005
Lokacija: Novi Sad
Poruke: 602
Hvala: 28
27 "Hvala" u 17 poruka
Petar Marić će postati "faca" uskoro
Pošaljite ICQ poruku za Petar Marić
Talking
@bluesman: Nešto si rek'o
Citat:
Sadržaj preuzet sa već pomenute stranice
Preventing CSRF
  1. Make sure that the cgi that handles form submissions for forms that change server state only accepts POST parameters, not GET parameters. Some server-side languages default to accepting both.
  2. Make sure form submissions use your own forms by including a hidden field that is an MD5 hash of the login cookie and a secret on the server. Then only accept the form if the hidden field is correct.
  3. Optional added paranoia: Add a timestamp as a hidden field and include it in the hash. Make the form expire if the timestamp is too old. Give users a way to submit the form again when the form expires, such as by returning the form pre-filled with the data they entered last time but with a fresh hash.
Do not rely on the Referer header to protect your visitors from CSRF. (Browser bugs and features allow web sites to create referrerless links, so you would have to reject referrerless form submissions. Some users choose to turn off referers, so you can't protect these users without preventing them from accessing your site at all. Some users even spoof their referer so it always appears to come from the site they are requesting a page from, making them impossible to protect in this way. Users that spoof referrers usually do so in order to access porn sites that restrict access to content solely based on referers.)
Since so few sites protect their visitors against CSRF attacks, we have discussed possible client-side fixes for CSRF. We didn't come up with anything good. For reference, see bug 38933, bug 40132, bug 246476, and bug 246519. At most, browsers might be able to prevent CSRFs from web sites to intranet sites, but not between web sites.
Naravno dodatak CAPTCHA-e samo ulepšava rešenje, mada ti preporučujem da dodaš i proveru minimalnog intervala između slanja 2 poruke.

Edit: Čisto da napomenem, ako neki nisu do sada shvatili: Za svaku formu koja menja stanje (aka state) na serveru se koristi dotična kombinacija - naravno tajni ključevi se menjaju za svaki novi zahtev.
__________________
Python Ambassador of Serbia
Poslednja izmena od Petar Marić : 10. 11. 2005. u 18:37.
Petar Marić je offline   Odgovorite uz citat