本文由我司收集整编,推荐下载,如有疑问,请与我司联系jQuery GetJSON 安全问题。复制URL 并在浏览器中粘贴jQuery GetJSON 安全问题。复制URL 并在浏览器中粘贴[英]jQuery GetJSON Security Issues. Copying URL and pasting in the browser I am using the jQuery GetJSON
call in my ASP page. It is something like the following code:
我正在我的ASP 页面中使用jQuery GetJSON 调用。它类似于以下代码:
$.ajax({ url: myUrl/myPage.aspx?callback=BookARoom, dataType: ‘json’This will actually end up in a room being booked in my system, but the issue is that if a user copies
this URL and pastes it in a browser, the room would get booked. Since he already has the
session, I can’t differentiate it in the ASP Pages. How can I prevent this?
这实际上会在我的系统中被预订的房间中结束,但是问题是如果用户复制这个
URL 并将它粘贴到浏览器中,房间就会被预订。由于他已经有了会话,我无法在
ASP 页面中区分它。我该如何预防呢?
这里有两个问题。
First problem: GET requests are supposed to be safe. There are lots of things that can
trigger a GET request. If you are changing state based on a GET request, your code is
dangerously broken. Use POST.
第一个问题:GET 请求应该是安全的。有很多东西可以触发GET 请求。如果您正
在基于一个GET 请求更改状态,那么您的代码将会受到危险的破坏。使用POST。
Secondly, other websites can cause your user to make requests to your website. This is
known as Cross-Site Request Forgery. The typical solution is to require a nonce with each
request. Because the nonce is unknown to the other website, they can no longer forge
requests. The link I provided will give you further reading on alternative solutions.
其次,其他网站会导致你的用户对你的网站提出请求。这被称为跨站点请求伪