Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Method and device for cross-sit request forgery (CSRF) defense authentication

A technology of cross-site request forgery and authentication method, applied in the field of CSRF defense and authentication of cross-site request forgery, can solve the problems of increasing development cost, unable to save session data at the front end, unable to use the SESSION verification mechanism, etc., to achieve the effect of preventing replay attacks

Active Publication Date: 2017-05-31
NSFOCUS INFORMATION TECHNOLOGY CO LTD +1
View PDF10 Cites 20 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0003] In the prior art, when protecting against CSRF attacks, the commonly used methods are roughly as follows: one is to restrict user operations by inputting verification codes, which will not only increase development costs, but also seriously reduce user experience; The HTTPReferer restricts the source of the request. Although the development cost of this method is low, there is still a high risk of security; in addition, the legitimacy of the request is verified through the SESSION (session) verification mechanism. This method requires the server to bind the route , rendering template engine, etc., and in the front-end and back-end separation mode of the Web, no longer rely on the server-side language binding routing and rendering template engine, resulting in the front-end no longer having perfect SESSION and data storage functions, resulting in the front-end (browser) unable to Using SESSION to directly save the session data, it is impossible to use the SESSION verification mechanism to verify the legitimacy of the request

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and device for cross-sit request forgery (CSRF) defense authentication
  • Method and device for cross-sit request forgery (CSRF) defense authentication
  • Method and device for cross-sit request forgery (CSRF) defense authentication

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0035] Such as Figure 1a As shown, it is a schematic diagram of the implementation flow of the cross-site request forgery CSRF defense authentication method provided by Embodiment 1 of the present invention, which may include the following steps:

[0036] S11. Obtain a security password required for this data interaction.

[0037] During specific implementation, the security password is obtained through a login request sent to the server, and the login request includes the user name and password required for this login.

[0038] Specifically, when the client sends a login request to the server (when the user logs in to the browser with a user name and password), it calls the API interface of the login request to send a login request to the server, and the server verifies the login request based on the user name and password required for this login. Whether this login is passed, if yes, return the security password required for data interaction to the client, recorded as Token...

Embodiment 2

[0090] Such as Figure 2a As shown, it is a schematic diagram of the implementation flow of another cross-site request forgery CSRF defense authentication method provided by Embodiment 2 of the present invention, which may include the following steps:

[0091] S21. Receive a login request sent by the client, where the login request includes a username and password required for this login.

[0092] S22. Feed back a security password to the client after the login request is verified according to the user name and password.

[0093] Specifically, after receiving the login request sent by the client, the server can determine whether the login is successful according to the username and password used in the login request and from the pre-stored correspondence between the username and password, and if so, It is determined that the current login request is passed; otherwise, it is determined that the current login request fails.

[0094] After confirming that the login request is pas...

Embodiment 3

[0128] Based on the same inventive concept, an embodiment of the present invention also provides a cross-site request forgery CSRF defense authentication device. Since the principle of the above-mentioned device to solve the problem is similar to the cross-site request forgery CSRF defense authentication method, the implementation of the above-mentioned device can be found in the method The implementation of this method will not be repeated here.

[0129] Such as image 3 As shown, it is a schematic structural diagram of a cross-site request forgery CSRF defense authentication device provided by Embodiment 3 of the present invention, including: an acquisition unit 31 and a first sending unit 32, wherein:

[0130] The obtaining unit 31 is configured to obtain the security password required for this data interaction, the security password is obtained through a login request sent to the server, and the login request includes the user name and password required for this login;

...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a method and device for CSRF authentication. The method comprises the following steps: acquiring a secure password needed for this data interaction and sending data interaction requests to the server. The secure password is obtained by a login request sent to the server, which includes the user name and password required for the login. The data interaction request carries authentication information needed for the data interaction and the authentication information is used to indicate that the server authenticates the validity of the data interaction request, wherein the authentication information is determined according to the secure password. By adopting the method provided by the CSRF authentication defense method and device, not only can the protection of the CSRF attack be effectively realized, but also the tamper proof effect is achieved. To a certain extent, the CSRF defense authentication method and device can protect replay attacks and is more versatile.

Description

technical field [0001] The invention relates to the technical field of Web security, in particular to a cross-site request forgery CSRF defense authentication method and device. Background technique [0002] The early web system integrated the browser (front end) and server end (back end) into one project, resulting in a high degree of coupling between the front and back ends of the web in the actual development process, making it difficult to achieve professional division of labor, which seriously affects the development quality. In order to reduce the dependence of the Web front-end on the back-end, a Web front-end and back-end separation architecture is introduced. Under the separate front-end and back-end architecture of the Web, the front-end development does not affect the data processing operations of the back-end, and only needs to call the corresponding interface when the front-end and back-end data interact, such as using the RESTful API interface to complete the f...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06
CPCH04L63/08H04L63/1441
Inventor 潘钧康樊恒阳
Owner NSFOCUS INFORMATION TECHNOLOGY CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com