旗下导航:搜·么
当前位置:网站首页 > PHP框架 > YII > 正文

yii csrf是什么【yii框架教程】,yii

作者:搜搜PHP网发布时间:2019-12-05分类:YII浏览:76


导读:跨站要求捏造(英语:Cross-siterequestforgery),也被称为one-clickattack或许sessionriding,平常缩写为CSRF或...
跨站要求捏造(英语:Cross-site request forgery),也被称为 one-click attack 或许 session riding,平常缩写为 CSRF 或许 XSRF, 是一种劫持用户在当前已登录的Web运用程序上实行非本意的操纵的进击要领。

跨站要求进击,简朴地说,是进击者经由过程一些技术手段诳骗用户的浏览器去接见一个自身曾认证过的网站并运转一些操纵(如发邮件,发消息,以至财富操纵如转账和购置商品)。 (引荐进修:yii框架)

因为浏览器曾认证过,所以被接见的网站会认为是真正的用户操纵而去运转。

这利用了web中用户身份考证的一个破绽:简朴的身份考证只能保证要求发自某个用户的浏览器,却不能保证要求自身是用户自愿发出的。

yii2的csrf,这里简朴引见一下它的考证机制。

取用于csrf考证的token值;推断用于csrf的token是不是存在,假如不存在则运用generateCsrfToken()生成。

考证web\Controller中的beforeAction()要领中有Yii::$app->getRequest()->validateCsrfToken()推断,用于考证csrf。

平常我的熟悉yii2的csrf都是从Yii::$app->request->getCsrfToken()入手下手;好的,我们就从getCsrfToken()提及。 此要领在yii\web\Request.php中:

/**
 * Returns the token used to perform CSRF validation.
 * 返回用于实行CSRF考证的token
 * This token is a masked version of [[rawCsrfToken]] to prevent [BREACH attacks](http://breachattack.com/).
 * This token may be passed along via a hidden field of an HTML form or an HTTP header value
 * to support CSRF validation.
 * @param boolean $regenerate whether to regenerate CSRF token. When this parameter is true, each time
 * this method is called, a new CSRF token will be generated and persisted (in session or cookie).
 * @return string the token used to perform CSRF validation.
 */
public function getCsrfToken($regenerate = false)
{
    if ($this->_csrfToken === null || $regenerate) {
        if ($regenerate || ($token = $this->loadCsrfToken()) === null) {    //loadCsrfToken()就是在cookie或许session中猎取token值
            $token = $this->generateCsrfToken();        //假如token为空则挪用generateCsrfToken()去生成
        }
        // the mask doesn't need to be very random
        $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-.';
        $mask = substr(str_shuffle(str_repeat($chars, 5)), 0, static::CSRF_MASK_LENGTH);
        // The + sign may be decoded as blank space later, which will fail the validation
        $this->_csrfToken = str_replace('+', '.', base64_encode($mask . $this->xorTokens($token, $mask)));
    }

    return $this->_csrfToken;
}

/**
 * Loads the CSRF token from cookie or session.
 * @return string the CSRF token loaded from cookie or session. Null is returned if the cookie or session
 * does not have CSRF token.
 */
protected function loadCsrfToken()
{
    if ($this->enableCsrfCookie) {
        return $this->getCookies()->getValue($this->csrfParam);         //cookie中猎取csrf的token 
    } else {
        return Yii::$app->getSession()->get($this->csrfParam);          //session中猎取csrf的token
    }
}

/**
 * Creates a cookie with a randomly generated CSRF token.
 * Initial values specified in [[csrfCookie]] will be applied to the generated cookie.
 * @param string $token the CSRF token
 * @return Cookie the generated cookie
 * @see enableCsrfValidation
 */
protected function createCsrfCookie($token)
{
    $options = $this->csrfCookie;
    $options['name'] = $this->csrfParam;
    $options['value'] = $token;
    return new Cookie($options);
}

/**
 * Generates  an unmasked random token used to perform CSRF validation.
 * @return string the random token for CSRF validation.
 */
protected function generateCsrfToken()
{
    $token = Yii::$app->getSecurity()->generateRandomString();      //生成随机的平安字符串
    if ($this->enableCsrfCookie) {
        $cookie = $this->createCsrfCookie($token);                  //createCsrfCookie()用于生成csrf的key=>value情势的token
        Yii::$app->getResponse()->getCookies()->add($cookie);       //将生成key=>value保存到cookies 
    } else {
        Yii::$app->getSession()->set($this->csrfParam, $token);     //将csrf的token存在session中
    }
    return $token;
}

/**
 * 每次挪用控制器中的要领的时刻都邑挪用下面的Yii::$app->getRequest()->validateCsrfToken()考证
 * @inheritdoc
 */
public function beforeAction($action)
{
    if (parent::beforeAction($action)) {
        if ($this->enableCsrfValidation && Yii::$app->getErrorHandler()->exception === null && !Yii::$app->getRequest()->validateCsrfToken()) {         
            throw new BadRequestHttpException(Yii::t('yii', 'Unable to verify your data submission.'));
        }
        return true;
    } else {
        return false;
    }
}


/**
 * 校验要领
 * Performs the CSRF validation.
 *
 * This method will validate the user-provided CSRF token by comparing it with the one stored in cookie or session.
 * This method is mainly called in [[Controller::beforeAction()]].
 *
 * Note that the method will NOT perform CSRF validation if [[enableCsrfValidation]] is false or the HTTP method
 * is among GET, HEAD or OPTIONS.
 *
 * @param string $token the user-provided CSRF token to be validated. If null, the token will be retrieved from
 * the [[csrfParam]] POST field or HTTP header.
 * This parameter is available since version 2.0.4.
 * @return boolean whether CSRF token is valid. If [[enableCsrfValidation]] is false, this method will return true.
 */
public function validateCsrfToken($token = null)
{
    $method = $this->getMethod();
    // only validate CSRF token on non-"safe" methods http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1
    if (!$this->enableCsrfValidation || in_array($method, ['GET', 'HEAD', 'OPTIONS'], true)) {
        return true;
    }

    $trueToken = $this->loadCsrfToken();

    if ($token !== null) {
        return $this->validateCsrfTokenInternal($token, $trueToken);
    } else {
        return $this->validateCsrfTokenInternal($this->getBodyParam($this->csrfParam), $trueToken)
            || $this->validateCsrfTokenInternal($this->getCsrfTokenFromHeader(), $trueToken); 
            //getCsrfTokenFromHeader()这个我也不太明白,还请指导一下
    }
}

/**
 * @return string the CSRF token sent via [[CSRF_HEADER]] by browser. Null is returned if no such header is sent.
 */
public function getCsrfTokenFromHeader()
{
    $key = 'HTTP_' . str_replace('-', '_', strtoupper(static::CSRF_HEADER));
    return isset($_SERVER[$key]) ? $_SERVER[$key] : null;
}

/**
 * Validates CSRF token
 *
 * @param string $token
 * @param string $trueToken
 * @return boolean
 */
private function validateCsrfTokenInternal($token, $trueToken)
{
    $token = base64_decode(str_replace('.', '+', $token));      //解码从客户端猎取的csrf的token
    $n = StringHelper::byteLength($token);
    if ($n <= static::CSRF_MASK_LENGTH) {
        return false;
    }
    $mask = StringHelper::byteSubstr($token, 0, static::CSRF_MASK_LENGTH);
    $token = StringHelper::byteSubstr($token, static::CSRF_MASK_LENGTH, $n - static::CSRF_MASK_LENGTH);
    $token = $this->xorTokens($mask, $token);

    return $token === $trueToken;       //考证从客户端猎取的csrf的token和实在的token是不是相称
}

以上就是yii csrf是什么的细致内容,更多请关注ki4网别的相干文章!

标签:yii