3

我在许多论坛和其他网站上看到他们在 POST 或 GET 方法中使用安全令牌(长字符串)。例如(POST 方法):

<input
    type="hidden"
    name="securitytoken"
    value="1363774829-89afb5d0fbcd2f8d55db0b675061d62bd21ca94e"
/>

GET 方法示例:

http://www.example.com?attribute=xyz&token=f0ec0e8e1622a030cbc543d3ac42729e

这个安全令牌是什么?为什么要使用它?它提供什么类型的安全性?应该在哪里使用?

4

1 回答 1

7

It is probably a token to prevent "CSRF" (Cross Site Request Forgery).

For example,

  • you are logged in to the forum
  • you go to evilhacker.com
  • evilhacker has an auto-submitting form that sends spam to the forum
  • because you are logged in, you post (in your name) the spam.

But because the forum needs some token that is tied to your session (so evilhacker cannot guess it for his own form), the post is rejected and you did not post spam.

If you want to see some details, read this paper

于 2013-03-20T10:32:51.373 回答