如果有人有机会使用Aura Session 2.x,我有一个问题吗?如果是这样,我需要帮助...
我的问题是我不知道我应该叫什么(?)让CSRF工作。不幸的是,但从示例中我没有学到任何东西。我不能在实践中应用它。
链接到示例:Aura Session 2.x CSRF
我的代码:`
$session_factory = new \Aura\Session\SessionFactory;
$session = $session_factory->newInstance($_COOKIE);
#It seems to me that there is a problem with that
$user = $session->getSegment('Vendor\Package\User');
$unsafe = $_SERVER['REQUEST_METHOD'] == 'POST'|| $_SERVER['REQUEST_METHOD'] == 'PUT' || $_SERVER['REQUEST_METHOD'] == 'DELETE';
#$user->auth->isValid() not work
#Notice: Undefined property: Aura\Session\Session::$auth
#Fatal error: Uncaught Error: Call to a member function isValid() on null
if($unsafe && $user->auth->isValid()){
$csrf_value = $_POST['__csrf_value'];
$csrf_token = $session->getCsrfToken(); #it works
echo !$csrf_token->isValid($csrf_value) ? 'This looks like a cross-site request forgery.' : 'This looks like a valid request.';
} else {
echo 'CSRF attacks only affect unsafe requests by authenticated users.';
}
`
提前感谢您的回复。
答案 0 :(得分:0)
文档示例https://github.com/auraphp/Aura.Session#session-security中显示的代码“ $ user-> auth-> isValid()”是指Aura.Auth库https://github.com/auraphp/Aura.Auth#service-idioms的“ isValid()”惯用语,但是CSRF机制不一定要求用户登录。因此,检查用户身份验证不是强制性的,在任何情况下,您都不必使用Aura.Auth库,您还可以实现自己的身份验证控制系统。