Method and device for cross-sit request forgery (CSRF) defense authentication

Abstract

The invention discloses a method and device for CSRF authentication. The method comprises the following steps: acquiring a secure password needed for this data interaction and sending data interaction requests to the server. The secure password is obtained by a login request sent to the server, which includes the user name and password required for the login. The data interaction request carries authentication information needed for the data interaction and the authentication information is used to indicate that the server authenticates the validity of the data interaction request, wherein the authentication information is determined according to the secure password. By adopting the method provided by the CSRF authentication defense method and device, not only can the protection of the CSRF attack be effectively realized, but also the tamper proof effect is achieved. To a certain extent, the CSRF defense authentication method and device can protect replay attacks and is more versatile.

Description

technical field [0001] The invention relates to the technical field of Web security, in particular to a cross-site request forgery CSRF defense authentication method and device. Background technique [0002] The early web system integrated the browser (front end) and server end (back end) into one project, resulting in a high degree of coupling between the front and back ends of the web in the actual development process, making it difficult to achieve professional division of labor, which seriously affects the development quality. In order to reduce the dependence of the Web front-end on the back-end, a Web front-end and back-end separation architecture is introduced. Under the separate front-end and back-end architecture of the Web, the front-end development does not affect the data processing operations of the back-end, and only needs to call the corresponding interface when the front-end and back-end data interact, such as using the RESTful API interface to complete the f...

AI Technical Summary

Problems solved by technology

[0003] In the prior art, when protecting against CSRF attacks, the commonly used methods are roughly as follows: one is to restrict user operations by inputting verification codes, which will not only increase development costs, but also seriously reduce user experience; The HTTPReferer restricts the source of the request. Although the development cost of this method is low, there is still a high risk of security; in addition, the legitimacy of the request is verified through the SESSION (session) verification mechanism. This method requires the server to bind the route , rendering template engine, etc., and in the front-end and back-end separation mode of the Web, no longer rely on the server-side language binding routing and rendering template engine, resulting in the front-end no longer having perfect SESSION and data storage functions, resulting in the front-end (browser) unable to Using SESSION to directly save the session data, it is impossible to use the SESSION verification mechanism to verify the legitimacy of the request

Images