CN109905376B - Method and system for preventing illegal access to server - Google Patents
Method and system for preventing illegal access to server Download PDFInfo
- Publication number
- CN109905376B CN109905376B CN201910102833.1A CN201910102833A CN109905376B CN 109905376 B CN109905376 B CN 109905376B CN 201910102833 A CN201910102833 A CN 201910102833A CN 109905376 B CN109905376 B CN 109905376B
- Authority
- CN
- China
- Prior art keywords
- server
- url
- access request
- client
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses a method and a system for preventing illegal access to a server, wherein the method comprises the following steps: A. a client generates an original resource URL to be requested; B. a client acquires a session identifier; C. the client side merges the session identifier and the original resource URL into a new URL; D. the client sends an access request to the server based on the new URL; E. the server judges whether the new URL has a session identifier, and if not, the server refuses the access; if yes, executing step F; F. and judging whether the session identifier in the new URL is consistent with the session identifier pre-stored in the server, if not, judging that the access request is an illegal access request, and refusing the access by the server. The invention can identify whether the access request is legal or not, and prevent the behavior of illegally accessing the server, thereby avoiding information leakage and the server being incapable of serving normal users; the method has wide application range and is particularly suitable for brushing backend interface behaviors with dispersed IP and unfixed requests.
Description
Technical Field
The invention belongs to the field of communication, and particularly relates to a method and a system for preventing illegal access to a server.
Background
At present, the interaction interfaces between the client and the server are mostly implemented by http, where the server provides external access interfaces, and these interfaces provide standard http services.
In the prior art, the process of client-server interaction is as follows:
first, the client generates a Resource URL (Uniform Resource Locator) to be requested, and sends an http request to the server.
Then, the server receives the request and returns an access result to the client.
And finally, the client analyzes the access result returned by the server and processes the corresponding service logic.
In the interaction process, if a malicious client modifies the URL or parameters thereof to initiate a malicious request, or the malicious client simulates a normal user to initiate a request, there is a risk of information leakage. In addition, if a malicious client continuously initiates a request, the server rejects a normal client request due to insufficient resources, so that the client cannot obtain required data, and the server cannot serve normal users.
In order to solve the above problems, the existing method generally performs a limitation process on the IP and the user agent of the client initiating the request, for example, limits the number of requests that can be initiated by a single IP in a fixed time period, or puts a suspicious IP into a blacklist by analyzing the behavior of the IP, and does not allow the IP in the blacklist to send out the request. However, this method cannot prevent IP scatter and the behavior of requesting an unfixed brush backend interface to access the server from occurring.
Disclosure of Invention
The present invention aims to provide a method and a system for preventing illegal access to a server, which can identify whether an access request is legal or not, and prevent the occurrence of illegal access to the server, thereby avoiding information leakage and the server being unable to serve normal users; the method has wide application range and is particularly suitable for brushing backend interface behaviors with dispersed IP and unfixed requests.
In order to solve the technical problems, the technical scheme adopted by the invention is as follows:
a method for preventing illegal access to a server includes steps of A, a client generates an original resource URL to be requested; the method is characterized by further comprising the following steps:
b, the client acquires a session identifier pre-stored in the server;
step C, the client side merges the session identification acquired in the step B and the original resource URL generated in the step A into a new URL;
d, the client sends an access request to the server based on the new URL;
e, the server judges whether a new URL in the received access request carries a session identifier, if not, the access request is judged to be an illegal access request, and the server refuses the access; if yes, executing step F;
and F, judging whether the session identifier in the new URL is consistent with the session identifier pre-stored in the server, if not, judging that the access request is an illegal access request, and refusing the access by the server.
By the method, when the client sends the access request, the client needs to take the preset session identifier in the server, and when the client accesses the server, the server checks whether the session identifier in the access request is consistent with the session identifier pre-stored in the server to determine whether to reject the access of the client, so that the illegal access of the server by a third party is avoided, and information leakage and the failure of the server to serve normal users are avoided; the method is particularly suitable for the back-end interface behaviors of the brush with dispersed IP and unfixed requests.
Further, the step B further includes: the client acquires a session key from the server; the client encrypts the original resource URL according to the session key to obtain an encrypted URL;
in the step C, the client side combines the session identification obtained in the step B, the encrypted URL obtained in the step B and the original resource URL generated in the step A into a new URL;
in the step F, if the session identifier in the new URL is judged to be consistent with the session identifier pre-stored in the server, the encrypted URL data in the new URL is decrypted by using the session key;
further comprising:
g, judging whether the decrypted resource identification data are consistent with the resource identification data carried in the original resource URL in the new URL, if not, judging that the access request is an illegal access request, and refusing the access by the server; if so, judging that the access request is a legal access request, allowing the server to access the legal access request, and returning an access result to the client based on the original resource URL.
By the method, when the client sends the access request, the session identifier preset in the server and the authentication information encrypted by the session key are carried in the request URL. When the client accesses the server, the server checks whether the session identifier in the access request is consistent with the session identifier pre-stored in the server, and simultaneously decrypts the encrypted authentication information sent by the client to determine whether to allow the access of the client. By adding the session identifier and the authentication information encrypted by the session key to the normal access request, the third-party client or the malicious client cannot send a legal access request under normal conditions, and naturally cannot modify the parameters to refresh the server interface, and meanwhile, the server can easily identify and reject the illegal access request, so that the third-party client or the malicious client can be prevented from refreshing the server interface.
Based on the same inventive concept, the invention also provides a system for preventing illegal access to the server, which comprises a client and the server, wherein the client comprises an original resource URL generation unit: the method comprises the steps of generating an original resource URL to be requested; the server includes a receiving unit: the system comprises a server, a client and a server, wherein the server is used for receiving an access request sent by the client;
it is characterized in that,
the client further comprises:
a session identifier acquisition unit: the session identifier is used for acquiring the session identifier pre-stored in the server;
the new URL generation unit: merging the session identifier and the original resource URL into a new URL;
a transmission unit: for sending an access request to the server based on the new URL;
the server further comprises:
a first judgment unit: the server is used for judging whether a new URL in the received access request carries a session identifier or not, if not, judging that the access request is an illegal access request, and refusing the access by the server; if so, judging whether the session identifier in the new URL is consistent with the session identifier pre-stored in the server;
a second judgment unit: and the server is used for judging whether the session identifier in the new URL is consistent with the session identifier pre-stored in the server, if not, judging that the access request is an illegal access request, and refusing the access.
Further, the client further comprises:
a session key acquisition unit: the session key is acquired from the server;
an encryption unit: the system comprises a session key generation unit, a resource management unit and a resource management unit, wherein the session key generation unit is used for generating a session key;
the new URL generating unit is used for combining the session identifier, the encrypted URL and the original resource URL into a new URL;
the server further comprises:
a decryption unit: the session key is used for decrypting the encrypted URL data in the new URL when the session identifier in the new URL is consistent with the session identifier pre-stored in the server;
a third judging unit: the server is used for judging whether the decrypted resource identification data is consistent with the resource identification data carried in the original resource URL in the new URL, if not, the access request is judged to be an illegal access request, and the server refuses the access; if so, judging that the access request is a legal access request, allowing the server to access the legal access request, and returning an access result to the client based on the original resource URL.
Compared with the prior art, the method and the device can identify whether the access request is legal or not, and prevent the occurrence of illegal server access behaviors, thereby avoiding information leakage and the failure of the server to serve normal users; the method has wide application range and is particularly suitable for brushing backend interface behaviors with dispersed IP and unfixed requests.
Detailed Description
One embodiment of a method for preventing unauthorized access to a server includes the steps of:
step A, the client generates an original resource URL to be requested.
B, the client acquires a session identifier pre-stored in the server; the client acquires a session key from the server; and the client encrypts the original resource URL according to the session key to obtain an encrypted URL.
And step C, the client side merges the session identification obtained in the step B, the encrypted URL obtained in the step B and the original resource URL generated in the step A into a new URL.
And D, the client sends an access request to the server based on the new URL.
E, the server judges whether a new URL in the received access request carries a session identifier, if not, the access request is judged to be an illegal access request, and the server refuses the access; if yes, executing step F.
Step F, judging whether the session identification in the new URL is consistent with the session identification pre-stored in the server, if not, judging that the access request is an illegal access request, and refusing the access by the server; and if the session identifier in the new URL is judged to be consistent with the session identifier pre-stored in the server, decrypting the encrypted URL data in the new URL by using the session key.
G, judging whether the decrypted resource identification data is consistent with resource identification data carried in the original resource URL in the new URL (if a playing address of a certain video is requested, the resource identification is the id of the video; if a short message verification code is requested to be issued, the resource identification is the issued mobile phone number), if not, judging that the access request is an illegal access request, and refusing the access by the server; if so, judging that the access request is a legal access request, allowing the server to access the legal access request, and returning an access result to the client based on the original resource URL.
The invention has the improvement point that when the client sends the access request to the server, the session identifier (session id) and the authentication information encrypted by the session key (session key) are added into the original resource URL, and the server separates the client from the third-party client by verifying the session control information, thereby achieving the effect of effectively rejecting the access request of the third-party application or the malicious client.
The invention also provides a system for preventing illegal access to the server, which comprises a client and the server, wherein the client comprises:
original resource URL generation unit: the method comprises the steps of generating an original resource URL to be requested;
a session identifier acquisition unit: the session identifier is used for acquiring the session identifier pre-stored in the server;
the new URL generation unit: merging the session identifier and the original resource URL into a new URL;
a transmission unit: for sending an access request to the server based on the new URL;
a session key acquisition unit: the session key is acquired from the server;
an encryption unit: the system comprises a session key generation unit, a resource management unit and a resource management unit, wherein the session key generation unit is used for generating a session key;
the new URL generating unit is used for combining the session identification, the encrypted URL and the original resource URL into a new URL.
The server includes:
a receiving unit: the system comprises a server, a client and a server, wherein the server is used for receiving an access request sent by the client;
a first judgment unit: the server is used for judging whether a new URL in the received access request carries a session identifier or not, if not, judging that the access request is an illegal access request, and refusing the access by the server; if so, judging whether the session identifier in the new URL is consistent with the session identifier pre-stored in the server;
a second judgment unit: the server is used for judging whether the session identifier in the new URL is consistent with the session identifier pre-stored in the server, if not, the access request is judged to be an illegal access request, and the server refuses the access;
a decryption unit: the session key is used for decrypting the encrypted URL data in the new URL when the session identifier in the new URL is consistent with the session identifier pre-stored in the server;
a third judging unit: the server is used for judging whether the decrypted resource identification data is consistent with the resource identification data carried in the original resource URL in the new URL, if not, the access request is judged to be an illegal access request, and the server refuses the access; if so, judging that the access request is a legal access request, allowing the server to access the legal access request, and returning an access result to the client based on the original resource URL.
While embodiments of the present invention have been described, the present invention is not limited to the above-described embodiments, which are intended to be illustrative rather than limiting, and many modifications may be made by those skilled in the art without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (2)
1. A method for preventing illegal access to a server includes steps of A, a client generates an original resource URL to be requested; the method is characterized by further comprising the following steps:
b, the client acquires a session identifier pre-stored in the server; the client acquires a session key from the server; the client encrypts the original resource URL according to the session key to obtain an encrypted URL;
step C, the client side merges the session identification acquired in the step B and the original resource URL generated in the step A into a new URL; or the client side combines the session identification obtained in the step B, the encrypted URL obtained in the step B and the original resource URL generated in the step A into a new URL;
d, the client sends an access request to the server based on the new URL;
e, the server judges whether a new URL in the received access request carries a session identifier, if not, the access request is judged to be an illegal access request, and the server refuses the access; if yes, executing step F;
step F, judging whether the session identification in the new URL is consistent with the session identification pre-stored in the server, if not, judging that the access request is an illegal access request, and refusing the access by the server; if the session identification in the new URL is judged to be consistent with the session identification pre-stored in the server, the session key is used for decrypting the encrypted URL data in the new URL;
g, judging whether the decrypted resource identification data are consistent with the resource identification data carried in the original resource URL in the new URL, if not, judging that the access request is an illegal access request, and refusing the access by the server; if so, judging that the access request is a legal access request, allowing the server to access the legal access request, and returning an access result to the client based on the original resource URL.
2. A system for preventing illegal access to a server includes a client and a server, wherein the client includes an original resource URL generation unit: the method comprises the steps of generating an original resource URL to be requested; the server includes a receiving unit: the system comprises a server, a client and a server, wherein the server is used for receiving an access request sent by the client;
it is characterized in that the preparation method is characterized in that,
the client further comprises:
a session identifier acquisition unit: the session identifier is used for acquiring the session identifier pre-stored in the server;
the new URL generation unit: merging the session identifier and the original resource URL into a new URL;
a transmission unit: for sending an access request to the server based on the new URL;
a session key acquisition unit: the session key is acquired from the server;
an encryption unit: the system comprises a session key generation unit, a resource management unit and a resource management unit, wherein the session key generation unit is used for generating a session key;
the new URL generating unit is also used for merging the session identifier, the encrypted URL and the original resource URL into a new URL;
the server further comprises:
a first judgment unit: the server is used for judging whether a new URL in the received access request carries a session identifier or not, if not, judging that the access request is an illegal access request, and refusing the access by the server; if so, judging whether the session identifier in the new URL is consistent with the session identifier pre-stored in the server;
a second judgment unit: the server is used for judging whether the session identifier in the new URL is consistent with the session identifier pre-stored in the server, if not, the access request is judged to be an illegal access request, and the server refuses the access;
a decryption unit: the session key is used for decrypting the encrypted URL data in the new URL when the session identifier in the new URL is consistent with the session identifier pre-stored in the server;
a third judging unit: the server is used for judging whether the decrypted resource identification data is consistent with the resource identification data carried in the original resource URL in the new URL, if not, the access request is judged to be an illegal access request, and the server refuses the access; if so, judging that the access request is a legal access request, allowing the server to access the legal access request, and returning an access result to the client based on the original resource URL.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910102833.1A CN109905376B (en) | 2019-02-01 | 2019-02-01 | Method and system for preventing illegal access to server |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910102833.1A CN109905376B (en) | 2019-02-01 | 2019-02-01 | Method and system for preventing illegal access to server |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109905376A CN109905376A (en) | 2019-06-18 |
CN109905376B true CN109905376B (en) | 2022-03-22 |
Family
ID=66944697
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910102833.1A Active CN109905376B (en) | 2019-02-01 | 2019-02-01 | Method and system for preventing illegal access to server |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109905376B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110557502B (en) * | 2019-08-09 | 2021-03-23 | 五八有限公司 | Method and device for calling up applet, electronic device and readable storage medium |
CN110807210B (en) * | 2019-11-04 | 2022-07-15 | 北京联想协同科技有限公司 | Information processing method, platform, system and computer storage medium |
US11443037B2 (en) | 2020-07-09 | 2022-09-13 | International Business Machines Corporation | Identification of invalid requests |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2013182397A (en) * | 2012-03-01 | 2013-09-12 | Nippon Telegr & Teleph Corp <Ntt> | Cluster system |
CN105162773A (en) * | 2015-08-04 | 2015-12-16 | 武汉理工大学 | Mobile terminal based shortcut login method for Web system |
CN107534651A (en) * | 2015-03-31 | 2018-01-02 | 思科技术公司 | The safe transmission of Session ID during service authentication |
CN109040024A (en) * | 2018-07-06 | 2018-12-18 | 广东微云科技股份有限公司 | A kind of resource access right control method and system |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106487812A (en) * | 2016-12-02 | 2017-03-08 | 努比亚技术有限公司 | A kind of method for authenticating and device |
-
2019
- 2019-02-01 CN CN201910102833.1A patent/CN109905376B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2013182397A (en) * | 2012-03-01 | 2013-09-12 | Nippon Telegr & Teleph Corp <Ntt> | Cluster system |
CN107534651A (en) * | 2015-03-31 | 2018-01-02 | 思科技术公司 | The safe transmission of Session ID during service authentication |
CN105162773A (en) * | 2015-08-04 | 2015-12-16 | 武汉理工大学 | Mobile terminal based shortcut login method for Web system |
CN109040024A (en) * | 2018-07-06 | 2018-12-18 | 广东微云科技股份有限公司 | A kind of resource access right control method and system |
Also Published As
Publication number | Publication date |
---|---|
CN109905376A (en) | 2019-06-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109873819B (en) | Method and system for preventing illegal access to server | |
CN107517179B (en) | Authentication method, device and system | |
CN102195957B (en) | Resource sharing method, device and system | |
US20140289839A1 (en) | Resource control method and apparatus | |
US10547602B2 (en) | Communications methods and apparatus related to web initiated sessions | |
WO2016184216A1 (en) | Link-stealing prevention method, link-stealing prevention server, and client side | |
CN106953831B (en) | User resource authorization method, device and system | |
CN109905376B (en) | Method and system for preventing illegal access to server | |
CN110225050B (en) | JWT token management method | |
CN110933078B (en) | H5 unregistered user session tracking method | |
CN111770088A (en) | Data authentication method, device, electronic equipment and computer readable storage medium | |
CN109873818B (en) | Method and system for preventing illegal access to server | |
CN109218334B (en) | Data processing method, device, access control equipment, authentication server and system | |
CN103634265A (en) | Method, device and system for security authentication | |
CN111786996B (en) | Cross-domain synchronous login state method and device and cross-domain synchronous login system | |
CN110138765B (en) | Data processing method, data processing device, computer equipment and computer readable storage medium | |
CN110138558B (en) | Transmission method and device of session key and computer-readable storage medium | |
CN104463584A (en) | Method for achieving mobile terminal App safety payment | |
CN109905377B (en) | Method and system for preventing illegal access to server | |
CN110807210B (en) | Information processing method, platform, system and computer storage medium | |
CN112560102A (en) | Resource sharing method, resource accessing method, resource sharing equipment and computer readable storage medium | |
CN104901967A (en) | Registration method for trusted device | |
CN110035035B (en) | Secondary authentication method and system for single sign-on | |
CN108989302B (en) | OPC proxy connection system and connection method based on secret key | |
US20200364317A1 (en) | Method and system for identifying a user terminal in order to receive streaming protected multimedia content |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |