javascript 混淆 URL 参数以防止用户更改它们?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/15362947/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Obfuscating URL parameters to prevent users from changing them?
提问by tomaytotomato
I am developing a fat client page based on Javascript that will allow users to carry out tasks outwith another web client application (Oracle Siebel).
我正在开发一个基于 Javascript 的胖客户端页面,它将允许用户使用另一个 Web 客户端应用程序 (Oracle Siebel) 执行任务。
The way the web page will be called from the browser will be by a simple window.open() call.
从浏览器调用网页的方式是通过一个简单的 window.open() 调用。
When this happens a URL will be passed which contains some parameters at the end which will change the functionality of the fat client page depending on what value they have.
发生这种情况时,将传递一个 URL,其中包含一些末尾的参数,这些参数将根据它们具有的值更改胖客户端页面的功能。
e.g
例如
userlevel=1 //normal user
userlevel=2 //advanced user
userlevel=1 //普通用户
userlevel=2 //高级用户
In an example full URL would be like so
在一个例子中,完整的 URL 是这样的
www.mypage.com/index.htm?id=25215125%userlevel=2%context=full
www.mypage.com/index.htm?id=25215125%userlevel=2%context=full
However a user who wants to change their access only need to figure out that if they change their user level then they can change their access rights on this fat client page.
但是,想要更改访问权限的用户只需要弄清楚,如果他们更改了用户级别,那么他们可以在此胖客户端页面上更改其访问权限。
Yes, I know this is risky and before you ask why I am not using a server supported thin client with controls that cannot be altered by the user. I simply have to do it this way!
是的,我知道这是有风险的,在您问我为什么不使用具有用户无法更改的控件的服务器支持的瘦客户端之前。我只需要这样做!
This system will be in a "trusted" environment and this users will have at best average IT skills.
该系统将处于“受信任的”环境中,并且该用户最多具有平均 IT 技能。
So all I need to do is figure out a way to obfuscate/ scramble the URL parameters (if possible) and then decipher them at the fat client.
所以我需要做的就是找出一种方法来混淆/打乱 URL 参数(如果可能的话),然后在胖客户端解密它们。
e.g.
例如
www.mypage.com/index.htm?1sdf908ga90-821098650f8asdg098g0a98
www.mypage.com/index.htm?1sdf908ga90-821098650f8asdg098g0a98
I tested it out on the browser and no complaints so far so I guess I just need to develop a piece of logic to decipher it.
我在浏览器上测试了它,到目前为止没有任何抱怨,所以我想我只需要开发一段逻辑来破译它。
e.g. I could use MD5?
例如,我可以使用 MD5 吗?
Any examples or ideas?
任何例子或想法?
Thanks
谢谢
采纳答案by Fred
Try Base64 encoding it. https://stackoverflow.com/a/4699739/1088652
尝试 Base64 编码。https://stackoverflow.com/a/4699739/1088652
That'll shorten it and obfuscate it, so that users can't just throw values in the URL.
这将缩短它并混淆它,以便用户不能只是在 URL 中抛出值。
回答by sobstel
Params integrity can be ensured with HMAC. You generate hash using secret key and all the params, you include this hash inside of URL, then at server side you generate hash using same params and compare values.
可以使用 HMAC 确保参数完整性。您使用密钥和所有参数生成散列,将这个散列包含在 URL 中,然后在服务器端使用相同的参数生成散列并比较值。
function generateSignature(array $params, $hmacKey)
{
// sort the array by key using SORT_STRING order
ksort($params, SORT_STRING);
$escapeFunc = function ($val) {
return str_replace(':', '\:', str_replace('\', '\\', $val));
};
// generate the signing data string
$signData = implode(':', array_map($escapeFunc, array_merge(array_keys($params), array_values($params))));
// base64-encode the binary result of the HMAC computation
$merchantSig = base64_encode(hash_hmac('sha256', $signData, pack("H*", $hmacKey), true));
return $merchantSig;
}
