I would like to use the Unix Time to avoid replay attacks to my web service. I would like the clients to add this value with the request amongst other security tokens. Then my server would also compute this value and accept what the client sent to me within a given error margin.
Now, my question is this: If i tell my clients that i will accept an error margin of around 200. Less or greater than.
But can it really ever be greater than ?
Also, does it depend on the system date-time settings of the client sending me the request ?
Also, how do i decide an appropriate error margin so that i do not refuse genuine requests ?
问问题
436 次
1 回答
4
但它真的可以大于吗?
是的!您对客户端时钟一无所知。可能是几分钟或几小时的错误!无论如何,您都不能信任客户端时钟,因此我建议您在服务器端的某种会话中记录时间,然后据此进行计算。
此外,它是否取决于向我发送请求的客户端的系统日期时间设置?
是的。您可以使用Date.getUTCxxx()JS 中的函数在同一时区获取所有内容,但您不能相信客户端有正确设置的时钟。
另外,我如何确定适当的误差范围,以便我不会拒绝真正的请求?
这取决于您的服务。您期望立即得到答复吗?用户应该做一些工作吗?用户是否有可能加载一个页面,然后离开计算机为自己和他的同事冲泡一些美味的全烤咖啡?
于 2012-06-06T08:13:58.953 回答