???????????????????????????99%??CSRF????????????1%??....?????????Cookie???????????????XSS???????????????????1%?????????????????????Hash??????????????????Щ??????????????????????????????????
????(2).?????
??????????????·?????ε??????????????????????д????????????????????....?????????????????CSRF????????????????????????????????????????????????????????漰??????????MHTML??Bug?????????Щ?汾?????IE???????
????(3).One-Time Tokens(???????????????????α????)
?????????One-Time Tokens??????????????“???л??????”?????????????????????????????????????CSRF????????????????????κα????????????????????α??????????????????α???????????????α????????????????????????????????????????????????????????????з????α??????????С??????????CSRF???????????????????????????????????????????????????
??????????????:
????1).???????????????(gen_token())??
????<?php
????function gen_token() {
????//??????????????????????Rand()?ó??????????????????????????
????//???????ο???д??Findbugs????е??Random object created and used only once??
????$token = md5(uniqid(rand()?? true));
????return $token;
????}
????2).?????Session???????????(gen_stoken())??
????<?php
????function gen_stoken() {
????$pToken = "";
????if($_SESSION[STOKEN_NAME]  == $pToken){
????//???????????
????$_SESSION[STOKEN_NAME] = gen_token();
????}
????else{
????//??????t???
????}
????}
?????>
????3).WEB???????????????????????
????<?php
????function gen_input() {
????gen_stoken();
????echo “<input type=”hidden” name=”" . FTOKEN_NAME . “”
????value=”" . $_SESSION[STOKEN_NAME] . “”> “;
????}
?????>
????4).WEB???????
????<?php
????session_start();
????include(”functions.php”);
?????>
????<form method=”POST” action=”transfer.php”>
????<input type=”text” name=”toBankId”>
????<input type=”text” name=”money”>
????<? gen_input(); ?>
????<input type=”submit” name=”submit” value=”Submit”>
????</FORM>
????5).????????????
????????????????????????
???????????????????????“???л??????”???????????????????????