[go: up one dir, main page]

CN111259296A - Method and system for ensuring ordering of Web resource requests - Google Patents

Method and system for ensuring ordering of Web resource requests Download PDF

Info

Publication number
CN111259296A
CN111259296A CN202010038343.2A CN202010038343A CN111259296A CN 111259296 A CN111259296 A CN 111259296A CN 202010038343 A CN202010038343 A CN 202010038343A CN 111259296 A CN111259296 A CN 111259296A
Authority
CN
China
Prior art keywords
access request
parent
module
request
web resource
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010038343.2A
Other languages
Chinese (zh)
Other versions
CN111259296B (en
Inventor
郭黎明
谢强
陈国庆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Jiyi Network Technology Co ltd
Original Assignee
Wuhan Jiyi Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Jiyi Network Technology Co ltd filed Critical Wuhan Jiyi Network Technology Co ltd
Priority to CN202010038343.2A priority Critical patent/CN111259296B/en
Publication of CN111259296A publication Critical patent/CN111259296A/en
Application granted granted Critical
Publication of CN111259296B publication Critical patent/CN111259296B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/958Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9024Graphs; Linked lists
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/955Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
    • G06F16/9566URL specific, e.g. using aliases, detecting broken or misspelled links
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Mining & Analysis (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention provides a method and a system for ensuring the ordering of Web resource requests, wherein the method comprises the following steps: constructing a Web resource directed graph, and setting a password for each Web resource; when a server receives an access request, judging whether a Web resource which the access request requires to access corresponds to a root node in a Web resource directed graph or not, if so, processing the request through the access request, and adding an HTTP head during reply; otherwise, checking whether the HTTP head of the current access request is legal, if the HTTP head passes the check, passing the access request and processing the request, and simultaneously adding the HTTP head again in reply, if the HTTP head does not pass the check, judging that the access request is an illegal request, and returning an error or directly discarding the access request. The invention has the beneficial effects that: the verifiable information and the time stamp generated by the server are used in the interaction, so that request forgery and replay can be effectively prevented, more applicable scenes are provided, and the universality is better.

Description

Method and system for ensuring ordering of Web resource requests
Technical Field
The invention relates to the field of computer networks, in particular to a method and a system for ensuring the ordering of Web resource requests.
Background
The Web resource is a resource provided by a content service provider in daily Internet access, and the Web resource request refers to a resource access request initiated by a user to the content service provider, and the resource access request is carried out through a website (URL). The website is divided into three parts: protocol header, Domain name (Domain), and Uniform Resource Identifier (URI), such as the web address https:// www.baidu.com/index. html, protocol header is https, Domain name is www.baidu.com, and URI is/index. html. Web sites all have an inherent order of page access that malicious Web resource requests would violate.
In the chinese patent "method and apparatus for detecting malicious HTTP request" with patent number 200810224571.8, claim 7 discloses a method for determining whether an HTTP request conforms to the access sequence of a Web page inherent to a Web site: (b1) extracting two protocol field values of a refer and a URI from an HTTP request header; (b2) judging whether the Web page pointed by the URI is a key node in the Web access relation network, if so, executing the step (b3), otherwise, considering the HTTP request as an abnormal HTTP request, and ending the process; (b3) checking whether the Referer simultaneously satisfies the following three conditions: referer is not null; a network node corresponding to the Web page pointed by the Referer exists in the Web access relation network; and if the Referer does not meet the three conditions simultaneously, the network node corresponding to the Referer is considered to detect a malicious HTTP request.
The above method has the following disadvantages: (1) the Referer can be forged at will without credibility; (2) this method does not prevent playback; (3) some website services are embedded in third-party websites, and the referers corresponding to the websites are pages corresponding to the third-party websites and have uncertainty.
Disclosure of Invention
In view of this, the present invention provides a method and a system for ensuring the ordering of Web resource requests, which perform verification of the ordering of Web resource requests by adding additional information in the HTTP header.
The invention provides a method for ensuring the ordering of Web resource requests, which comprises the following steps:
s1, the control server constructs a Web resource directed graph according to the Web resources provided by the content service provider, and sets a password for each Web resource according to the URI of the Web resource;
s2, when the server receives the access request of the client, judging whether the Web resource which the access request requires to access corresponds to the root node in the Web resource directed graph, if so, the server passes the access request and processes the request, meanwhile, replying the client and adding an HTTP header in the next access request, and turning to S6, otherwise, executing the step S3; the HTTP header comprises a client identifier uid, a reply timestamp t, a parent for recording the URI of the current access request, and a check code key, wherein the check code key is as follows:
key=md5{uid+t+parent+secret(parent)},
in the formula, secret (parent) represents a password corresponding to the parent;
s3, the server checks whether the HTTP header of the current access request contains uid, t, parent and key, if all the HTTP headers exist, the step S4 is continuously executed, otherwise, the access request is judged to be an illegal request, and the step S5 is switched;
s4, the server side sequentially checks whether the t, the parent and the key in the HTTP header of the current access request are legal, if the check is passed, the server side passes the access request and processes the request, meanwhile, the replying client side adds a new HTTP header in the next access request again, and S6 is switched; otherwise, judging the access request to be an illegal request, and turning to S5;
s5, when the access request is judged to be an illegal request, the server side returns an error to the client side or directly discards the access request, and the step is S6;
and S6, ending the current processing flow.
Further, the Web resource directed graph comprises access nodes and directed edges, wherein each access node corresponds to a Web resource, and the directed edges indicate that a direct access path from an initial access node to a final access node exists; and determining a father node corresponding to each access node in the process of constructing the Web resource directed graph.
Further, the specific process of step S4 is as follows:
s41, judging whether t is in the designated range, if yes, continuing to execute the step S42, otherwise, not passing the check;
s42, judging whether the URI recorded by the parent is in the father node of the access node corresponding to the URI of the current access request, if so, continuing to execute the step S43, otherwise, the verification fails;
s43, calculating md5{ uid + t + parent + secret (parent) } according to the uid, t and parent in the HTTP header of the current access request, and judging whether the calculation result is equal to the key value in the HTTP header, if so, the check is passed, otherwise, the check is not passed.
Further, in step S4, the uid in the new HTTP header is directly obtained from the HTTP header of the current access request, t is the time of reply, parent is the URI of the current access request, and key is calculated by md5{ uid + t + parent + secret (parent) }.
The invention also provides a system for ensuring the ordering of the Web resource requests, which comprises the following steps:
the Web resource directed graph construction module is used for controlling the server to construct a Web resource directed graph according to the Web resources provided by the content service provider and setting a password for each Web resource according to the URI of the Web resource;
the root node judgment module is used for judging whether the Web resource which is required to be accessed by the access request corresponds to a root node in the Web resource directed graph or not when the server receives the access request of the client, if the judgment result of the root node judgment module is yes, the server passes the access request and processes the request, and simultaneously replies that the client adds an HTTP head in the next access request and transfers the HTTP head to the flow end module, otherwise, the HTTP head judgment module transfers the HTTP head to the flow end module; the HTTP header includes a client identifier uid, a timestamp t of the reply, a parent recording the URI of the current access request, and a check code key ═ md5{ uid + t + parent + secret (parent) }, wherein secret (parent) indicates a password corresponding to the parent;
the HTTP head judgment module is used for judging whether the HTTP head of the current access request contains complete uid, t, parent and key by the server side, if the judgment result of the HTTP head judgment module is yes, the HTTP head judgment module is switched to the HTTP head verification module, and if the judgment result of the HTTP head judgment module is not yes, the HTTP head judgment module judges that the access request is an illegal request and switches to the illegal request processing module;
the HTTP head checking module is used for the server side to check whether t, parent and key in the HTTP head of the current access request are legal or not in sequence, if the check of the HTTP head checking module is passed, the server side passes the access request and processes the request, and meanwhile, the client side is replied to add a new HTTP head in the next access request again and the HTTP head is transferred to the flow ending module; otherwise, judging the access request as an illegal request, and turning to an illegal request processing module;
the illegal request processing module is used for returning an error to the client side or directly discarding the access request by the server side when the access request is judged to be an illegal request, and turning to the flow ending module;
and the flow ending module is used for ending the processing flow once.
Further, the Web resource directed graph constructed by the Web resource directed graph construction module comprises access nodes and directed edges, wherein each access node corresponds to one Web resource, and the directed edges indicate that a direct access path from an initial access node to a final access node exists; and the Web resource directed graph building module also determines a father node corresponding to each access node.
Further, the HTTP header check module includes:
the first judgment sub-module is used for judging whether t is in a specified range, if the judgment result of the first judgment sub-module is yes, the second judgment sub-module is switched to, and if not, the verification of the HTTP head verification module is not passed;
the second judgment submodule is used for judging whether the URI recorded by the parent is in a father node of an access node corresponding to the URI of the current access request, if the judgment result of the second judgment submodule is yes, the third judgment submodule is switched to, and if not, the verification of the HTTP head verification module is not passed;
and the third judgment sub-module is used for calculating md5{ uid + t + parent + secret (parent) } according to uid, t and parent in the HTTP header of the current access request and judging whether the calculation result is equal to the key value in the HTTP header, if the judgment result of the third judgment sub-module is yes, the verification of the HTTP header verification module is passed, otherwise, the verification of the HTTP header verification module is not passed.
Furthermore, the uid in the new HTTP header added in the HTTP header check module is directly obtained from the HTTP header of the current access request, t is the time of reply, parent is the URI of the current access request, and key is obtained by using the updated uid, t, and parent according to the formula md5{ uid + t + parent + secret (parent) }.
The technical scheme provided by the invention has the beneficial effects that: the verifiable information and the time stamp generated by the server are used in the interaction, so that request forgery and replay can be effectively prevented, more applicable scenes are provided, and the universality is better.
Drawings
FIG. 1 is a flowchart of a method for ensuring the ordering of Web resources according to an embodiment of the present invention;
FIG. 2 is a Web resource directed graph constructed according to an embodiment of the present invention;
fig. 3 is a system structure diagram for ensuring the ordering of Web resources according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be further described with reference to the accompanying drawings.
Referring to fig. 1, an embodiment of the present invention provides a method for ensuring ordering of a Web resource request, including the following steps:
s1, the control service end constructs a Web resource directed graph according to the Web resources provided by the content service provider, and sets a password secret for each Web resource according to the Uniform Resource Identifier (URI) of the Web resource for subsequent encryption processing.
For example, a shopping website with a domain name https:// www.buy.com includes Web resource pages such as login (/ login), commodity browsing (/ view), order placing (/ order), order canceling (/ cancel order), payment (/ pay), log-out (/ login), etc., and if the shopping website requires that commodity browsing can be performed after login, the simplified normal access logic is as follows: a user logs in first and then can browse commodities; the browsed commodities can be clicked repeatedly, and only when the commodities are browsed first, a certain commodity is selected for ordering; after placing an order, selecting to pay or cancel the order; meanwhile, the user can choose to log out at any stage after the login is successful.
Constructing a Web resource directed graph based on the access logic, wherein the Web resource directed graph comprises access nodes and directed edges, as shown in FIG. 2, each access node corresponds to a Web resource, and the directed edges indicate that a direct access path from an initial access node to a final access node exists; and setting a password for each Web resource according to the URI, and determining a father node of each access node in the graph according to the Web resource directed graph, wherein the father node is shown in a table 1.
TABLE 1 Web resources and corresponding passwords
Figure BDA0002366824420000061
In the process of constructing the Web resource directed graph, a root node is required to be determined; in table 1, the access node "/logic" has no corresponding parent node, that is, the access node is the root node of the Web resource directed graph.
S2, when the server receives an access request of the client, judging whether the Web resource which the access request requires to access corresponds to a root node in the Web resource directed graph, if so, the server processes the request through the access request, simultaneously replying the client and adding an HTTP header in the next access request, and turning to S6, wherein the HTTP header comprises a client identifier uid, a reply timestamp t, a parent representing the URI of the current access request, and a check code key, and the method comprises the following steps:
key=md5{uid+t+parent+secret(parent)},
in the formula, secret (parent) represents a password corresponding to the parent; otherwise, step S3 is executed. For the root node "/logic" shown in fig. 2, referring to table 1, its parent is "/logic", and the password corresponding to the parent is "loginExampleKey".
S3, the server checks whether the HTTP header of the current access request contains uid, t, parent and key, if all, the step S4 is continuously executed; otherwise, the access request is judged to be an illegal request.
S4, the server side sequentially checks whether the t, the parent and the key in the HTTP header of the current access request are legal, if the check is passed, the server side passes the access request and processes the request, meanwhile, the replying client side adds a new HTTP header in the next access request again, and S6 is switched; otherwise, the access request is determined to be an illegal request, and the process goes to S5.
Specifically, the process of step S4 is:
s41, judging whether t is in a designated range, for example, whether t is in the current time of 1 minute, if yes, continuing to execute the step S42, otherwise, judging the access request to be an illegal request;
s42, referring to Table 1, judging whether the URI recorded by the parent is in the father node of the access node corresponding to the URI of the current access request, if so, continuing to execute the step S43, otherwise, judging the access request to be an illegal request;
s43, checking whether the key value of the current access request is correct, specifically, calculating md5{ uid + t + parent + secret (parent)) }accordingto the uid, t and parent in the HTTP header of the current access request, judging whether the calculation result is equal to the key value in the HTTP header, if so, processing the request through the access request, and replying the client to add a new HTTP header in the next access request, wherein the uid in the new HTTP header is directly obtained from the HTTP header of the current access request, the t adopts the time of replying, the parent is the URI of the current access request, and the key is obtained by using the updated uid, t and parent through a calculation formula md5{ uid + t + parent + secret (parent)) }; otherwise, the access request is judged to be an illegal request.
S5, when the access request is judged to be an illegal request, the server side returns an error to the client side or directly discards the access request, and the step is turned to S6.
And S6, ending the current processing flow.
For the Web resource directed graph shown in fig. 2, the legal timestamp t satisfies 0< (current time-t) <60s, and a specific application example is as follows: the user logs in the website https:// www.buy.com, the client sends an access request 1 "/login", the server determines that the client is the root node of the Web resource directed graph after receiving the access request 1, the current time is 1000, and the client is replied to add in the next access request:
HTTP header 1: uid-user 1, t-1000, parent/logic, key-md 5(1000+ user1+ secret [/logic ]);
then, the user browses the commodity normally, the client sends an access request 2 "/view", after the server receives the access request 2, firstly, the access request 2 is determined to be not a root node and to have a complete HTTP header, whether the time difference between the current time and the time stamp t in the HTTP header of the access request 2 is 1000 is less than 60s is further determined, and referring to table 1, the "/login" recorded by the parent is determined to be the parent node of the access node corresponding to the current access request 2 "/view", and after the key value is checked to be correct, the current access request 2 is determined to be legal, and when the time is 1002, the replying client adds in the next access request again:
HTTP header 2: uid-user 1, t-1002, parent/view, key-md 5(1002+ user1+ secret [/view ]);
similarly, the user continues to browse the goods normally, the client sends the access request 3'/view again, after the server determines that the access request 3 is legal, and when the time is 1004, the replying client adds the following information again in the next access request:
HTTP header 3: uid-user 1, t-1004, parent/view, key-md 5(1004+ user1+ secret [/view ]);
therefore, the normal access sequence is maintained, it should be noted that malicious replay may cause the current access request to continue using the HTTP header of the replayed access request, for example, at time 1004, the user replays the access request 2, and will continue using the HTTP header 1 carried by the access request 2, and if the malicious user continues replaying the access request, the malicious user may be successfully identified according to a difference between the timestamp t in the HTTP header and the current time.
Referring to fig. 3, the present embodiment further provides a system for ensuring the ordering of a Web resource request, including a Web resource directed graph constructing module 1, a root node determining module 2, an HTTP header determining module 3, an HTTP header checking module 4, an illegal request processing module 5, and a flow ending module 6.
The Web resource directed graph constructing module 1 is used for controlling the server to construct a Web resource directed graph according to the Web resources provided by the content service provider and setting a password for each Web resource according to the URI of the Web resource; the Web resource directed graph comprises access nodes and directed edges, wherein each access node corresponds to a Web resource, and the directed edges indicate that a direct access path from an initial access node to a final access node exists; the Web resource directed graph building module 1 further determines a parent node corresponding to each access node.
The root node judging module 2 is used for judging whether the Web resource which the access request requires to access corresponds to a root node in the Web resource directed graph or not when the server receives the access request of the client, if so, the server passes the access request and processes the request, and simultaneously replies that the client adds an HTTP head in the next access request and transfers the HTTP head to the flow ending module 6, otherwise, transfers the HTTP head to the HTTP head judging module 3; the HTTP header includes a client identifier uid, a timestamp t of the reply, parent recording the URI of the current access request, and a check code key ═ md5{ uid + t + parent + secret (parent) }, where secret (parent) represents a password corresponding to the parent.
The HTTP header determining module 3 is configured to determine, by the server, whether the HTTP header of the current access request includes a complete uid, t, parent, and key, and if the determination result is yes, transfer to the HTTP header checking module 4, otherwise, determine that the access request is an illegal request, and transfer to the illegal request processing module 5.
The HTTP head part checking module 4 is used for the server side to check whether t, parent and key in the HTTP head part of the current access request are legal or not in sequence, if the check of the HTTP head part checking module is passed, the server side passes the access request and processes the request, and meanwhile, the client side is replied to add a new HTTP head part in the next access request again and the process is transferred to the flow end module 6; otherwise, the access request is judged to be an illegal request, and the access request is transferred to an illegal request processing module 5;
it should be noted that the uid in the new HTTP header is directly obtained from the HTTP header of the current access request, t is the time of reply, parent is the URI of the current access request, and key is calculated by md5{ uid + t + parent + secret (parent) } using the updated uid, t, and parent.
Specifically, the HTTP header check module 4 further includes:
the first judgment sub-module is used for judging whether t is in a specified range, if so, the second judgment sub-module is switched to, and otherwise, the HTTP header verification module 4 fails to verify;
the second judging submodule is used for judging whether the URI recorded by the parent is in a father node of an access node corresponding to the URI of the current access request, if so, the third judging submodule is switched to, and otherwise, the verification of the HTTP head verifying module 4 is not passed;
and the third judgment sub-module is used for calculating md5{ uid + t + parent + secret (parent) } according to uid, t and parent in the HTTP header of the current access request, and judging whether the calculation result is equal to the key value in the HTTP header, if so, the verification of the HTTP header verification module 4 is passed, otherwise, the verification of the HTTP header verification module 4 is not passed.
The illegal request processing module 5 is used for returning an error to the client side or directly discarding the access request when the access request is judged to be an illegal request, and turning to the flow ending module 6;
the flow ending module 6 is used for ending the processing flow once.
In this document, the terms front, back, upper and lower are used to define the components in the drawings and the positions of the components relative to each other, and are used for clarity and convenience of the technical solution. It is to be understood that the use of the directional terms should not be taken to limit the scope of the claims.
The features of the embodiments and embodiments described herein above may be combined with each other without conflict.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (8)

1. A method for ensuring the ordering of Web resource requests, comprising the steps of:
s1, the control server constructs a Web resource directed graph according to the Web resources provided by the content service provider, and sets a password for each Web resource according to the URI of the Web resource;
s2, when the server receives the access request of the client, judging whether the Web resource which the access request requires to access corresponds to the root node in the Web resource directed graph, if so, the server passes the access request and processes the request, meanwhile, replying the client and adding an HTTP header in the next access request, and turning to S6, otherwise, executing the step S3; the HTTP header comprises a client identifier uid, a reply timestamp t, a parent for recording the URI of the current access request, and a check code key, wherein the check code key is as follows:
key=md5{uid+t+parent+secret(parent)},
in the formula, secret (parent) represents a password corresponding to the parent;
s3, the server checks whether the HTTP header of the current access request contains uid, t, parent and key, if all the HTTP headers exist, the step S4 is continuously executed, otherwise, the access request is judged to be an illegal request, and the step S5 is switched;
s4, the server side sequentially checks whether the t, the parent and the key in the HTTP header of the current access request are legal, if the check is passed, the server side passes the access request and processes the request, meanwhile, the replying client side adds a new HTTP header in the next access request again, and S6 is switched; otherwise, judging the access request to be an illegal request, and turning to S5;
s5, when the access request is judged to be an illegal request, the server side returns an error to the client side or directly discards the access request, and the step is S6;
and S6, ending the current processing flow.
2. The method according to claim 1, wherein in step S1, the Web resource directed graph includes access nodes and directed edges, wherein each access node corresponds to a Web resource, and the directed edges indicate that there is a direct access path from an initial access node to a final access node; and determining a father node corresponding to each access node in the process of constructing the Web resource directed graph.
3. The method for guaranteeing the orderliness of Web resource requests according to claim 1 or 2, wherein the specific process of step S4 is as follows:
s41, judging whether t is in the designated range, if yes, continuing to execute the step S42, otherwise, not passing the check;
s42, judging whether the URI recorded by the parent is in the father node of the access node corresponding to the URI of the current access request, if so, continuing to execute the step S43, otherwise, the verification fails;
s43, calculating md5{ uid + t + parent + secret (parent) } according to the uid, t and parent in the HTTP header of the current access request, and judging whether the calculation result is equal to the key value in the HTTP header, if so, the check is passed, otherwise, the check is not passed.
4. The method of claim 1, wherein in step S4, the uid in the new HTTP header is directly obtained from the HTTP header of the current access request, t is the time of reply, parent is the URI of the current access request, and key is calculated by md5{ uid + t + parent + secret (parent) } using the updated uid, t, and parent.
5. A system for ensuring ordering of Web resource requests, comprising:
the Web resource directed graph construction module is used for controlling the server to construct a Web resource directed graph according to the Web resources provided by the content service provider and setting a password for each Web resource according to the URI of the Web resource;
the root node judgment module is used for judging whether the Web resource which is required to be accessed by the access request corresponds to a root node in the Web resource directed graph or not when the server receives the access request of the client, if the judgment result of the root node judgment module is yes, the server passes the access request and processes the request, and simultaneously replies that the client adds an HTTP head in the next access request and transfers the HTTP head to the flow end module, otherwise, the HTTP head judgment module transfers the HTTP head to the flow end module; the HTTP header includes a client identifier uid, a timestamp t of the reply, a parent recording the URI of the current access request, and a check code key ═ md5{ uid + t + parent + secret (parent) }, wherein secret (parent) indicates a password corresponding to the parent;
the HTTP head judgment module is used for judging whether the HTTP head of the current access request contains complete uid, t, parent and key by the server side, if the judgment result of the HTTP head judgment module is yes, the HTTP head judgment module is switched to the HTTP head verification module, and if the judgment result of the HTTP head judgment module is not yes, the HTTP head judgment module judges that the access request is an illegal request and switches to the illegal request processing module;
the HTTP head checking module is used for the server side to check whether t, parent and key in the HTTP head of the current access request are legal or not in sequence, if the check of the HTTP head checking module is passed, the server side passes the access request and processes the request, and meanwhile, the client side is replied to add a new HTTP head in the next access request again and the HTTP head is transferred to the flow ending module; otherwise, judging the access request as an illegal request, and turning to an illegal request processing module;
the illegal request processing module is used for returning an error to the client side or directly discarding the access request by the server side when the access request is judged to be an illegal request, and turning to the flow ending module;
and the flow ending module is used for ending the processing flow once.
6. The system according to claim 5, wherein the Web resource directed graph constructed by the Web resource directed graph constructing module includes access nodes and directed edges, wherein each access node corresponds to a Web resource, and the directed edges indicate that there is a direct access path from an initial access node to a final access node; and the Web resource directed graph building module also determines a father node corresponding to each access node.
7. The system for guaranteeing the orderliness of Web resource requests according to claim 5 or 6, wherein said HTTP header check module comprises:
the first judgment sub-module is used for judging whether t is in a specified range, if the judgment result of the first judgment sub-module is yes, the second judgment sub-module is switched to, and if not, the verification of the HTTP head verification module is not passed;
the second judgment submodule is used for judging whether the URI recorded by the parent is in a father node of an access node corresponding to the URI of the current access request, if the judgment result of the second judgment submodule is yes, the third judgment submodule is switched to, and if not, the verification of the HTTP head verification module is not passed;
and the third judgment sub-module is used for calculating md5{ uid + t + parent + secret (parent) } according to uid, t and parent in the HTTP header of the current access request and judging whether the calculation result is equal to the key value in the HTTP header, if the judgment result of the third judgment sub-module is yes, the verification of the HTTP header verification module is passed, otherwise, the verification of the HTTP header verification module is not passed.
8. The system of claim 5, wherein the uid in the new HTTP header added to the HTTP header check module is directly obtained from the HTTP header of the current access request, t is a time in reply, parent is the URI of the current access request, and key is obtained by using the updated uid, t, and parent according to the formula md5{ uid + t + parent + secret (parent) }.
CN202010038343.2A 2020-01-14 2020-01-14 Method and system for ensuring ordering of Web resource requests Active CN111259296B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010038343.2A CN111259296B (en) 2020-01-14 2020-01-14 Method and system for ensuring ordering of Web resource requests

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010038343.2A CN111259296B (en) 2020-01-14 2020-01-14 Method and system for ensuring ordering of Web resource requests

Publications (2)

Publication Number Publication Date
CN111259296A true CN111259296A (en) 2020-06-09
CN111259296B CN111259296B (en) 2023-03-10

Family

ID=70954021

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010038343.2A Active CN111259296B (en) 2020-01-14 2020-01-14 Method and system for ensuring ordering of Web resource requests

Country Status (1)

Country Link
CN (1) CN111259296B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101388768A (en) * 2008-10-21 2009-03-18 北京启明星辰信息技术股份有限公司 Method and device for detecting malicious HTTP request
CN102739659A (en) * 2012-06-16 2012-10-17 华南师范大学 Authentication method for preventing replay attack
CN105491094A (en) * 2014-09-24 2016-04-13 腾讯科技(深圳)有限公司 HTTP request handling method and device
CN105656912A (en) * 2016-01-29 2016-06-08 广西咪付网络技术有限公司 Mobile intelligent terminal APP request process control method
CN107453878A (en) * 2017-08-11 2017-12-08 四川长虹电器股份有限公司 A kind of method for supporting the anti-tamper anti-replays of REST API
US20180351958A1 (en) * 2017-05-30 2018-12-06 Canon Kabushiki Kaisha System, method for the system, and storage medium for the method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101388768A (en) * 2008-10-21 2009-03-18 北京启明星辰信息技术股份有限公司 Method and device for detecting malicious HTTP request
CN102739659A (en) * 2012-06-16 2012-10-17 华南师范大学 Authentication method for preventing replay attack
CN105491094A (en) * 2014-09-24 2016-04-13 腾讯科技(深圳)有限公司 HTTP request handling method and device
CN105656912A (en) * 2016-01-29 2016-06-08 广西咪付网络技术有限公司 Mobile intelligent terminal APP request process control method
US20180351958A1 (en) * 2017-05-30 2018-12-06 Canon Kabushiki Kaisha System, method for the system, and storage medium for the method
CN107453878A (en) * 2017-08-11 2017-12-08 四川长虹电器股份有限公司 A kind of method for supporting the anti-tamper anti-replays of REST API

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
窦浩;武艳文;段升强;: "Web应用安全风险防护分析与防护研究" *

Also Published As

Publication number Publication date
CN111259296B (en) 2023-03-10

Similar Documents

Publication Publication Date Title
CN109587133B (en) A single sign-on system and method
US10412091B2 (en) Systems and methods for controlling sign-on to web applications
US8341711B1 (en) Automated login session extender for use in security analysis systems
US8850567B1 (en) Unauthorized URL requests detection
US7930736B2 (en) Providing selective access to a web site
US7827318B2 (en) User enrollment in an e-community
US8312073B2 (en) CAPTCHA-free throttling
US20040123144A1 (en) Method and system for authentication using forms-based single-sign-on operations
CN110232265B (en) Two-factor authentication method, device and system
WO2016188290A1 (en) Safety authentication method, device and system for api calling
CN114616795B (en) Security mechanism for preventing retry or replay attacks
US20150082440A1 (en) Detection of man in the browser style malware using namespace inspection
US9210155B2 (en) System and method of extending a host website
US7974956B2 (en) Authenticating a site while protecting against security holes by handling common web server configurations
CN110753045A (en) Single sign-on method between different domains
CN107733853A (en) Page access method, apparatus, computer and medium
US20060047662A1 (en) Capability support for web transactions
CN119520121A (en) Website request tamper-proof method, server, web page, and storage medium
US8863263B2 (en) Server apparatus and program for single sign-on
CN111259296B (en) Method and system for ensuring ordering of Web resource requests
Jaswal et al. Detection and Prevention of Phishing Attacks on Banking Website
AU2023210679B2 (en) Web-authorization using enhanced cookie
Kumari Survey on Web Application Vulnerabilities
CN117909611A (en) Page embedding method, device, equipment, medium, program product and credit system
CN114401090A (en) Static page access method, system, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant