CN111200603A - Data interaction method - Google Patents
Data interaction method Download PDFInfo
- Publication number
- CN111200603A CN111200603A CN201911392422.7A CN201911392422A CN111200603A CN 111200603 A CN111200603 A CN 111200603A CN 201911392422 A CN201911392422 A CN 201911392422A CN 111200603 A CN111200603 A CN 111200603A
- Authority
- CN
- China
- Prior art keywords
- server
- token
- request
- client
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 230000003993 interaction Effects 0.000 title claims abstract description 22
- 230000008569 process Effects 0.000 claims description 21
- 235000014510 cooky Nutrition 0.000 claims description 19
- 230000004044 response Effects 0.000 claims description 9
- 238000012545 processing Methods 0.000 claims description 6
- 230000002159 abnormal effect Effects 0.000 claims description 3
- 238000012795 verification Methods 0.000 description 4
- 238000011161 development Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Information Transfer Between Computers (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a data interaction method, which comprises the steps that a client sends a first access to inquire whether a server can connect and transmit data, the request adopts an OPTIONS method to request, under the condition of obtaining the permission of the server, the client sends a second request and transmits the data to the server, the request can adopt methods such as get, post and put, and the like, and encrypts the data, otherwise, the request is not generated and is directly rejected by the server. Compared with the prior art, the data interaction method has the advantages of effectively preventing CSRF attack, improving program safety, being simple in user operation, improving program expansibility and readability and improving program running efficiency.
Description
Technical Field
The invention relates to the technical field of internet, in particular to a data interaction method.
Background
With the rapid development of internet technology, many applications developed based on a browser kernel (i.e. webapp, which may be referred to as Application third-party applications based on web page technology) have been favored by users and app providers due to their advantages of low development cost, no need of installation, low adaptation cost for various mobile devices and platforms, and the like. The main business exhibition And interaction of the WebApp are basically carried by a Web page, the Web page is very flexible, but for some businesses needing real-time operation, the existing WebApp generally adopts ajax to realize data interaction, namely Asynchronous JavaScript And XML, And the Asynchronous update of the Web page is realized by carrying out a small amount of data exchange with a server at the background. This means that certain parts of the web page can be updated without reloading the entire page. Conventional web pages (not using AJAX) must reload an entire page if the content needs to be updated.
Data interactions that are currently in common use include ajax interactions, but such interactions are deficient in preventing CSRF (the profile of CSRF attacks, which is collectively known as cross site request forgery), a malicious exploitation of websites that, while sounding somewhat similar to XSS cross site attacks, is in fact very different from XSS, which exploits trusted users within a site, and CSRF exploits a trusted website by disguising requests from trusted users.
Disclosure of Invention
The present invention aims to provide a data interaction method to solve the problems of the prior art that CSRF attack cannot be effectively prevented, program security is not high, user operation is troublesome, program expansibility is not high, readability is not high, and program running efficiency is not high.
In order to achieve the purpose, the invention provides the following technical scheme: a method of data interaction, comprising:
(1) the client sends a first access to inquire whether the server can connect and transmit data, the request adopts an OPTIONS method request,
(2) and under the condition of obtaining the permission of the server, the client sends a second request and transmits data to the server, the request can adopt methods such as get, post, put and the like, and data is encrypted, otherwise, the request is not generated and is directly rejected by the server.
Preferably, in the process of the data encryption, the server randomly and uniquely generates a string of codes to be sent to the client, the string of codes is named token, the server must set the valid time of the token, the client can perform data interaction with the server within the valid period of the token, and if the token is expired during the login period of the client, the client needs to replace the old token with a new token, so as to ensure that the data interaction between the client and the server is normal.
Preferably, in the process of sending the request by the client, the client stores the token sent by the server as a global state, so that the client can conveniently call everywhere, the client must transmit the token to the server together in a request header for sending each request (that is, no matter whether the client sends OPTIONS or get, post, put and other methods), the server determines the accuracy and validity of the token at the first time when receiving the request, and if one of the accuracy and validity of the token does not pass, the server directly rejects the token.
Preferably, in the process that the server rejects the request, the token is verified in an entry file of the server, if the client request is a login request, the token can be skipped over for verification, the token is generated and transmitted to the client, if the token fails in verification, an exception is thrown to the client to terminate the request of the client, when the client requests data from the server, the server sets a token value for a cookie in the response, and the server sets the token for the cookie in the response includes: the server uses the java function to set the token value, firstly sets the cookie field, and then adds the cookie field to the response.
Preferably, in the process of preventing other domain names by the server, the server only opens the specified domain name to make a request, and the other domain names uniformly refuse the request.
Preferably, in the process of submitting the request, the client adds a hidden field in a form submitting the request, the value is the value of token, and the user submits the request and simultaneously transmits the token to the server.
Preferably, in the process of processing the client data by the server, the server takes out the token stored in the cookie at the forefront of processing the client data, and then compares the token with the token submitted by the client, if the previous value and the next value are the same, the server represents a normal request, and if the previous value and the next value are not the same, the server terminates the next operation, which represents an abnormal request.
Preferably, in the process of requesting the server by the client, when the client requests the OPTIONS request for the first time, the server sets the token value in the cookie.
Compared with the prior art, the invention has the beneficial effects that: a method of the data interaction;
(1) CSRF attack is effectively prevented, and the security of the program of the invention is increased;
(2) by preventing CSRF attack, the program security is improved;
(3) can be operated by common technicians;
(4) more content can be extended by CSRF attacks;
(5) the program running efficiency is improved to a certain extent.
Drawings
FIG. 1 is a flow chart of a method for data interaction according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, the present invention provides a technical solution: a method of data interaction, comprising:
(1) the client sends a first access to inquire whether the server can connect and transmit data, the request adopts an OPTIONS method request,
(2) and under the condition of obtaining the permission of the server, the client sends a second request and transmits data to the server, the request can adopt methods such as get, post, put and the like, and data is encrypted, otherwise, the request is not generated and is directly rejected by the server.
Further, in the process of data encryption, a server randomly and uniquely generates a string of codes to be sent to a client, the string of codes is named as token, the server must set the effective time of the token, the client can perform data interaction with the server within the effective period of the token, and if the token is expired during the login period of the client, the client needs to replace the old token with a new token to ensure normal data interaction between the client and the server.
Further, in the process of sending the request by the client, the client stores the token sent by the server as a global state, so that the client can conveniently call everywhere, the client must transmit the token to the server together in a request header for sending each request (namely, no matter whether the client sends OPTIONS or get, post, put and other methods), the server judges the accuracy and effectiveness of the token at the first time when receiving the request, and if one of the accuracy and the effectiveness of the token does not pass, the server directly rejects the token.
Further, in the process that the server rejects the request, the token is verified in an entry file of the server, if the client request is a login request, the token can be skipped over for verification, the token is generated and transmitted to the client, if the token fails in verification, an exception is thrown to the client to terminate the request of the client, when the client requests data from the server, the server sets a token value for a cookie in the response, and the server sets the token for the cookie in the response includes: the server uses the java function to set the token value, firstly sets the cookie field, and then adds the cookie field to the response.
Further, in the process that the server side stops other domain names, the server side only opens the specified domain name to make a request, and the other domain names uniformly refuse the request.
Further, in the process of submitting the request, the client adds a hidden field in a form submitting the request, the value is the value of the token, and the user submits the request and simultaneously transmits the token to the server.
Further, in the process of processing the client data by the server, the server takes out the token stored in the cookie at the forefront of processing the client data, and then compares the token with the token submitted by the client, if the previous value and the next value are the same, the server represents a normal request, and if the previous value and the next value are not the same, the server terminates the next operation, which represents an abnormal request.
Further, in the process of requesting the server by the client, when the client requests the OPTIONS request for the first time, the server sets the token value in the cookie.
The above alternative solutions may be combined arbitrarily to form alternative embodiments of the present invention.
The program may be stored in a server (e.g., the airy cloud), and after the program is installed, one skilled in the art can understand that the above-described embodiment is implemented.
Although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that various changes in the embodiments and/or modifications of the invention can be made, and equivalents and modifications of some features of the invention can be made without departing from the spirit and scope of the invention.
Claims (8)
1. A method of data interaction, comprising:
(1) the client sends a first access to inquire whether the server can connect and transmit data, the request adopts an OPTIONS method request,
(2) and under the condition of obtaining the permission of the server, the client sends a second request and transmits data to the server, the request can adopt methods such as get, post, put and the like, and data is encrypted, otherwise, the request is not generated and is directly rejected by the server.
2. The method of claim 1, wherein: in the process of data encryption, a server side randomly and uniquely generates a string of codes to be sent to a client side, the string of codes is named as token, the server side must set the effective time of the token, the client side and the server side can perform data interaction in the effective time of the token, if the client side is in the login period and the token is out of date, the client side needs to use the old token to replace the new token, and therefore the normal data interaction between the client side and the server side is guaranteed.
3. The method of claim 1, wherein: in the process of sending the request by the client, the client stores the token sent by the server as a whole, so that the client can conveniently call everywhere, the client must transmit the token to the server together in a request header for sending each request (namely, no matter whether the client sends OPTIONS or get, post, put and other methods), the server judges the accuracy and the effectiveness of the token at the first time when receiving the request, and if one of the accuracy and the effectiveness of the token does not pass, the server directly rejects the token.
4. The method of claim 1, wherein: in the process that the server rejects the request, the token is verified in an entry file of the server, if the client request is a login request, the token can be skipped over and the token is generated and transmitted to the client, if the token fails to be verified, an exception is thrown to the client, the request of the client is terminated, when the client requests data from the server, the server sets a token value for a cookie in a response, and the server sets the token for the cookie in the response comprises the following steps: the server uses the java function to set the token value, firstly sets the cookie field, and then adds the cookie field to the response.
5. The method of claim 1, wherein: in the process that the server side stops other domain names, the server side only opens the specified domain name to make a request, and the other domain names uniformly refuse the request.
6. The method of claim 1, wherein: in the process of submitting the request by the client, the client adds a hidden field in a form submitting the request, the value is the value of token, and the token is transmitted to the server side together when the user submits the request.
7. The method of claim 1, wherein: in the process of processing the client data by the server, the server takes out the token stored in the cookie at the forefront of the processing of the client data, then compares the token with the token submitted by the client, if the previous value and the next value are the same, the request is a normal request, and if the token value in the cookie is not obtained, or the previous value and the next value are not the same, the next operation is terminated, which represents the abnormal request.
8. The method of claim 1, wherein: in the process that the client requests the server, when the client requests an OPTIONS request for the first time, the server sets the token value in the cookie.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911392422.7A CN111200603A (en) | 2019-12-30 | 2019-12-30 | Data interaction method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911392422.7A CN111200603A (en) | 2019-12-30 | 2019-12-30 | Data interaction method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111200603A true CN111200603A (en) | 2020-05-26 |
Family
ID=70747099
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911392422.7A Pending CN111200603A (en) | 2019-12-30 | 2019-12-30 | Data interaction method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111200603A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103312666A (en) * | 2012-03-09 | 2013-09-18 | 腾讯科技(深圳)有限公司 | Method, system and device for preventing CSRF (cross site request forgery) attack |
| CN106411948A (en) * | 2016-11-28 | 2017-02-15 | 浪潮软件集团有限公司 | A method of security authentication interception based on json verification code |
| US20180077256A1 (en) * | 2009-05-19 | 2018-03-15 | Virtual World Computing, Llc | Secure communications system and method |
| CN110572395A (en) * | 2019-09-09 | 2019-12-13 | 车智互联(北京)科技有限公司 | Identity verification method and system |
-
2019
- 2019-12-30 CN CN201911392422.7A patent/CN111200603A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180077256A1 (en) * | 2009-05-19 | 2018-03-15 | Virtual World Computing, Llc | Secure communications system and method |
| CN103312666A (en) * | 2012-03-09 | 2013-09-18 | 腾讯科技(深圳)有限公司 | Method, system and device for preventing CSRF (cross site request forgery) attack |
| CN106411948A (en) * | 2016-11-28 | 2017-02-15 | 浪潮软件集团有限公司 | A method of security authentication interception based on json verification code |
| CN110572395A (en) * | 2019-09-09 | 2019-12-13 | 车智互联(北京)科技有限公司 | Identity verification method and system |
Non-Patent Citations (2)
| Title |
|---|
| DENZEL: "cors跨域之简单请求与预检请求(发送请求头带令牌token)", 《HTTPS://SEGMENTFAULT.COM/A/1190000009971254》 * |
| 红心李: "基于Token的WEB后台认证机制", 《HTTPS://WWW.CNBLOGS.COM/XIEKELI/P/5607107.HTML》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8528076B2 (en) | Method and apparatus for authenticating online transactions using a browser and a secure channel with an authentication server | |
| US8438382B2 (en) | Credential management system and method | |
| CN103944900B (en) | It is a kind of that attack prevention method and its device are asked across station based on encryption | |
| US7606915B1 (en) | Prevention of unauthorized scripts | |
| CN100369030C (en) | Method and system for identifying & transmitting verifiable authorization among complete heteroyeneous network area | |
| EP2144420B1 (en) | Web application security filtering | |
| JP7564244B2 (en) | Anonymous Authentication with Token Redemption | |
| US10778668B2 (en) | HTTP session validation module | |
| US8924553B2 (en) | Multifactor validation of requests to thwart cross-site attacks | |
| CN107634967B (en) | A CSRFToken defense system and method for CSRF attack | |
| US8904521B2 (en) | Client-side prevention of cross-site request forgeries | |
| US20110131416A1 (en) | Multifactor validation of requests to thw art dynamic cross-site attacks | |
| US9338173B2 (en) | Methods and apparatuses for avoiding damage in network attacks | |
| Bin et al. | A DNS based anti-phishing approach | |
| US8024782B2 (en) | Cumulative login credit | |
| Siddiqui et al. | Cross site request forgery: A common web application weakness | |
| CN111200603A (en) | Data interaction method | |
| CN108737331A (en) | Cross-domain communication method and cross-domain communication system | |
| CN106130996A (en) | A kind of website attack protection checking system and method | |
| Saito et al. | An authorization scheme concealing client's access from authentication server | |
| WO2010070456A2 (en) | Method and apparatus for authenticating online transactions using a browser | |
| Iso et al. | A Proposal and Implementation of an ID Federation that Conceals a Web Service from an Authentication Server | |
| Nagpal et al. | Additional authentication technique: an efficient approach to prevent cross-site request forgery attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200526 |
|
| RJ01 | Rejection of invention patent application after publication |