Sha*_*ell 17 ajax zend-framework csrf zend-form
我已将Zend_Form_Element_Hash包含在表单multiplecheckbox表单中.我点击jQuery设置在单击复选框时触发AJAX请求,我通过此AJAX请求传递令牌.第一个AJAX请求工作得很好,但后续的请求失败了.
我怀疑它可能是一旦验证了令牌然后从会话中删除(hop = 1).
使用Zend Framework Hash保护表单但使用AJAX完成其中一些请求的攻击计划是什么?
我最后放弃使用Zend_Form_Element_Hash并手动创建了一个令牌,用Zend_Session注册它,然后在提交时检查它.
form.php的
$myNamespace = new Zend_Session_Namespace('authtoken');
$myNamespace->setExpirationSeconds(900);
$myNamespace->authtoken = $hash = md5(uniqid(rand(),1));
$auth = new Zend_Form_Element_Hidden('authtoken');
$auth->setValue($hash)
->setRequired('true')
->removeDecorator('HtmlTag')
->removeDecorator('Label');
Controller.php这样
$mysession = new Zend_Session_Namespace('authtoken');
$hash = $mysession->authtoken;
if($hash == $data['authtoken']){
print "success";
} else {
print "you fail";
}
这似乎工作,仍然保持相对理智和安全.我仍然宁愿使用Hash元素,但我似乎无法使用AJAX.
谢谢大家.
小智 8
这是如何以ajax形式处理哈希字段:
class AuthController extends Zend_Controller_Action
{
public function init()
{
$contextSwitch = $this->_helper->getHelper('contextSwitch');
$contextSwitch->addActionContext('index', 'json')
->initContext();
}
public function loginAction()
{
$form = new Application_Form_Login();
$request = $this->getRequest();
if ($request->isPost()) {
if ($form->isValid($request->getPost())) {
// some code ..
} else {
// some code ..
// Regenerate the hash and assign to the view
$reservationForm->hash->initCsrfToken();
$this->view->hash = $reservationForm->hash->getValue();
}
}
$this->view->form = $form;
}
}
然后在你的视图脚本..
<? $this->dojo()->enable()
->requireModule('dojox.json.query')
->onLoadCaptureStart() ?>
function() {
var form = dojo.byId("login_form")
dojo.connect(form, "onsubmit", function(event) {
dojo.stopEvent(event);
var xhrArgs = {
form: this,
handleAs: "json",
load: function(data) {
// assign the new hash to the field
dojo.byId("hash").value = dojox.json.query("$.hash", data);
// some code ..
},
error: function(error) {
// some code ..
}
}
var deferred = dojo.xhrPost(xhrArgs);
});
}
<? $this->dojo()->onLoadCaptureEnd() ?>
希望现在还不晚:D