CN111259296B - Method and system for ensuring ordering of Web resource requests - Google Patents

Method and system for ensuring ordering of Web resource requests Download PDF

Info

Publication number
CN111259296B
CN111259296B CN202010038343.2A CN202010038343A CN111259296B CN 111259296 B CN111259296 B CN 111259296B CN 202010038343 A CN202010038343 A CN 202010038343A CN 111259296 B CN111259296 B CN 111259296B
Authority
CN
China
Prior art keywords
access request
parent
module
web resource
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010038343.2A
Other languages
Chinese (zh)
Other versions
CN111259296A (en
Inventor
郭黎明
谢强
陈国庆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Jiyi Network Technology Co ltd
Original Assignee
Wuhan Jiyi Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Jiyi Network Technology Co ltd filed Critical Wuhan Jiyi Network Technology Co ltd
Priority to CN202010038343.2A priority Critical patent/CN111259296B/en
Publication of CN111259296A publication Critical patent/CN111259296A/en
Application granted granted Critical
Publication of CN111259296B publication Critical patent/CN111259296B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/958Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9024Graphs; Linked lists
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/955Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
    • G06F16/9566URL specific, e.g. using aliases, detecting broken or misspelled links
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Mining & Analysis (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention provides a method and a system for ensuring the ordering of Web resource requests, wherein the method comprises the following steps: constructing a Web resource directed graph, and setting a password for each Web resource; when a server receives an access request, judging whether a Web resource which the access request requires to access corresponds to a root node in a Web resource directed graph or not, if so, processing the request through the access request, and adding an HTTP head during reply; otherwise, checking whether the HTTP head of the current access request is legal, if the HTTP head passes the check, passing the access request and processing the request, meanwhile, adding the HTTP head again in reply, if the HTTP head does not pass the check, judging that the access request is an illegal request, and returning an error or directly discarding the access request. The invention has the beneficial effects that: the verifiable information and the time stamp generated by the server are used in the interaction, so that request forgery and replay can be effectively prevented, more applicable scenes are provided, and the universality is better.

Description

Method and system for ensuring ordering of Web resource requests
Technical Field
The invention relates to the field of computer networks, in particular to a method and a system for ensuring the ordering of Web resource requests.
Background
The Web resource is a resource provided by a content service provider in daily Internet access, the Web resource request refers to a resource access request initiated by a user to the content service provider, and the resource access request is carried out through a website (URL). The website is divided into three parts: protocol header, domain name (Domain), and Uniform Resource Identifier (URI), such as the website https:// www.baidu.com/index.html, protocol header is https, domain name is www.baidu.com, URI is/index.html. Web sites all have an inherent order of page access that malicious Web resource requests would violate.
In a chinese patent "method and apparatus for detecting malicious HTTP requests" with patent number 200810224571.8, claim 7 discloses a method for determining whether an HTTP request conforms to an access sequence of a Web page inherent to a Web site: (b1) Extracting two protocol field values of a refer and a URI from an HTTP request header; (b2) Judging whether the Web page pointed by the URI is a key node in the Web access relation network, if so, executing the step (b 3), otherwise, considering the HTTP request as an abnormal HTTP request, and ending the process; (b 3) checking whether the Referer satisfies the following three conditions at the same time: referer is not null; a network node corresponding to the Web page pointed by the Referer exists in the Web access relation network; and if the Referer does not meet the three conditions simultaneously, the network node corresponding to the Referer is considered to detect a malicious HTTP request.
The above method has the following disadvantages: (1) the Referer can be forged at will without credibility; (2) this method does not prevent playback; (3) Some website services are embedded in third-party websites, and the referers corresponding to the websites are pages corresponding to the third-party websites, and have uncertainty.
Disclosure of Invention
In view of this, the present invention provides a method and a system for ensuring the ordering of Web resource requests, which perform verification of the ordering of Web resource requests by adding additional information in an HTTP header.
The invention provides a method for ensuring the ordering of Web resource requests, which comprises the following steps:
s1, a control server constructs a Web resource directed graph according to Web resources provided by a content service provider, and sets a password for each Web resource according to a URI of the Web resource;
s2, when the server receives an access request of the client, judging whether the Web resource which the access request requires to access corresponds to a root node in the Web resource directed graph or not, if so, the server processes the request through the access request, replies the client and adds an HTTP head in the next access request, and turning to S6, otherwise, executing the step S3; the HTTP header comprises a client identifier uid, a reply timestamp t, a parent for recording the URI of the current access request, and a check code key, wherein the check code key is as follows:
key=md5{uid+t+parent+secret(parent)},
in the formula, secret (parent) represents a password corresponding to the parent;
s3, the server checks whether the HTTP header of the current access request contains uid, t, parent and key, if all the HTTP headers exist, the step S4 is continuously executed, otherwise, the access request is judged to be an illegal request, and S5 is switched to;
s4, the server side sequentially checks whether t, parent and key in the HTTP header of the current access request are legal or not, if the check is passed, the server side passes the access request and processes the request, meanwhile, the replying client side adds a new HTTP header in the next access request again, and S6 is switched; otherwise, judging the access request to be an illegal request, and turning to S5;
s5, when the access request is judged to be an illegal request, the server returns an error to the client or directly discards the access request, and the S6 is turned to;
and S6, finishing the processing flow.
Further, the Web resource directed graph comprises access nodes and directed edges, wherein each access node corresponds to a Web resource, and the directed edges indicate that a direct access path from an initial access node to a final access node exists; and in the process of constructing the Web resource directed graph, determining a father node corresponding to each access node.
Further, the specific process of step S4 is:
s41, judging whether t is in a specified range, if yes, continuing to execute the step S42, otherwise, failing to check;
s42, judging whether the URI recorded by the parent is in the father node of the access node corresponding to the URI of the current access request, if so, continuing to execute the step S43, otherwise, checking the URI not to pass;
s43, according to uid, t and parent in the HTTP header of the current access request, calculating md5{ uid + t + parent + secret (parent) }, and judging whether the calculation result is equal to the key value in the HTTP header, if so, the check is passed, otherwise, the check is not passed.
Further, in step S4, the uid in the new HTTP header is directly obtained from the HTTP header of the current access request, t is a time of reply, parent is the URI of the current access request, and key is calculated by md5{ uid + t + parent + secret (parent) } using the updated uid, t, and parent.
The invention also provides a system for ensuring the ordering of the Web resource requests, which comprises the following steps:
the Web resource directed graph construction module is used for controlling the server to construct a Web resource directed graph according to the Web resources provided by the content service provider and setting a password for each Web resource according to the URI of the Web resource;
the root node judgment module is used for judging whether the Web resource which is required to be accessed by the access request corresponds to a root node in the Web resource directed graph or not when the server receives the access request of the client, if the judgment result of the root node judgment module is yes, the server passes the access request and processes the request, and simultaneously replies that the client adds an HTTP head in the next access request and transfers the HTTP head to the flow end module, otherwise, the HTTP head judgment module transfers the HTTP head to the flow end module; the HTTP header comprises a client identifier uid, a reply timestamp t, a parent for recording the URI of the current access request, and a check code key = md5{ uid + t + parent + secret (parent) }, wherein the secret (parent) represents a password corresponding to the parent;
the HTTP head judgment module is used for judging whether the HTTP head of the current access request contains complete uid, t, parent and key or not by the server side, if the judgment result of the HTTP head judgment module is yes, the HTTP head judgment module transfers the HTTP head judgment module to the HTTP head verification module, and if not, the HTTP head judgment module judges that the access request is an illegal request and transfers the HTTP head judgment module to the illegal request processing module;
the HTTP head checking module is used for the server side to check whether t, parent and key in the HTTP head of the current access request are legal or not in sequence, if the check of the HTTP head checking module is passed, the server side passes the access request and processes the request, and meanwhile, the client side is replied to add a new HTTP head in the next access request again and the HTTP head is transferred to the flow ending module; otherwise, judging the access request as an illegal request, and turning to an illegal request processing module;
the illegal request processing module is used for returning an error to the client side or directly discarding the access request when the access request is judged to be an illegal request, and transferring to the flow ending module;
and the flow ending module is used for ending the processing flow once.
Further, the Web resource directed graph constructed by the Web resource directed graph construction module comprises access nodes and directed edges, wherein each access node corresponds to one Web resource, and the directed edges indicate that a direct access path from an initial access node to a final access node exists; and the Web resource directed graph building module also determines a father node corresponding to each access node.
Further, the HTTP header check module includes:
the first judgment sub-module is used for judging whether t is in a specified range, if the judgment result of the first judgment sub-module is yes, the second judgment sub-module is switched to, and if not, the verification of the HTTP head verification module is not passed;
the second judgment submodule is used for judging whether the URI recorded by the parent is in a father node of an access node corresponding to the URI of the current access request, if the judgment result of the second judgment submodule is yes, the third judgment submodule is switched to, and if not, the verification of the HTTP head verification module is not passed;
and the third judgment sub-module is used for calculating md5{ uid + t + parent + secret (parent) } according to uid, t and parent in the HTTP header of the current access request and judging whether the calculation result is equal to the key value in the HTTP header, if the judgment result of the third judgment sub-module is yes, the verification of the HTTP header verification module is passed, otherwise, the verification of the HTTP header verification module is not passed.
Furthermore, the uid in the new HTTP header added in the HTTP header check module is directly obtained from the HTTP header of the current access request, t is the time of reply, parent is the URI of the current access request, and key is obtained by using the updated uid, t, and parent according to the calculation formula md5{ uid + t + parent + secret (parent) }.
The technical scheme provided by the invention has the beneficial effects that: the verifiable information and the time stamp generated by the server are used in the interaction, so that request forgery and replay can be effectively prevented, more applicable scenes are provided, and the universality is better.
Drawings
FIG. 1 is a flowchart of a method for ensuring the ordering of Web resources according to an embodiment of the present invention;
FIG. 2 is a Web resource directed graph constructed according to an embodiment of the present invention;
fig. 3 is a system structure diagram for ensuring the ordering of Web resources according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be further described with reference to the accompanying drawings.
Referring to fig. 1, an embodiment of the present invention provides a method for ensuring ordering of a Web resource request, including the following steps:
s1, a control server constructs a Web resource directed graph according to Web resources provided by a content service provider, and sets a password secret for each Web resource according to a Uniform Resource Identifier (URI) of the Web resource for subsequent encryption processing.
For example, a shopping website with a domain name https:// www.buy.com includes Web resource pages such as login (/ login), browse commodity (/ view), order placing (/ order), cancel order placing (/ cancel order), pay (/ pay), log out (/ login), and the like, and if the shopping website requires the login for commodity browsing, then the simplified normal access logic is as follows: the user logs in first and then can browse the commodities; the browsed commodities can be clicked repeatedly, and only when the commodities are browsed first, a certain commodity is selected for ordering; after placing an order, selecting to pay or cancel the order; meanwhile, the user can select to log out at any stage after the login is successful.
Constructing a Web resource directed graph based on the access logic, wherein the Web resource directed graph comprises access nodes and directed edges, as shown in FIG. 2, each access node corresponds to a Web resource, and the directed edges indicate that a direct access path from an initial access node to a final access node exists; and setting a password for each Web resource according to the URI, and determining a father node of each access node in the graph according to the Web resource directed graph, wherein the father node is shown in a table 1.
TABLE 1 Web resources and corresponding passwords
Figure BDA0002366824420000061
In the process of constructing the Web resource directed graph, a root node is required to be determined; in table 1, the access node "/logic" has no corresponding parent node, that is, the access node is the root node of the Web resource directed graph.
S2, when the server receives an access request of the client, judging whether the Web resource which the access request requires to access corresponds to a root node in the Web resource directed graph or not, if so, the server processes the request through the access request, replies the client at the same time, and adds an HTTP header in the next access request, and turning to S6, wherein the HTTP header comprises a client identifier uid, a reply timestamp t, a parent representing a URI of the current access request, and a check code key, and the HTTP header comprises:
key=md5{uid+t+parent+secret(parent)},
in the formula, secret (parent) represents a password corresponding to the parent; otherwise, step S3 is executed. For the root node "/logic" shown in fig. 2, referring to table 1, its parent is "/logic", and the password corresponding to the parent is "loginExampleKey".
S3, the server checks whether the HTTP header of the current access request contains uid, t, parent and key, and if all the HTTP headers exist, the server continues to execute the step S4; otherwise, the access request is judged to be an illegal request.
S4, the server side sequentially checks whether t, parent and key in the HTTP header of the current access request are legal or not, if the t, parent and key are legal, the server side passes the access request and processes the request, meanwhile, the client side is replied and a new HTTP header is added in the next access request again, and S6 is turned to; otherwise, judging the access request to be an illegal request, and turning to S5.
Specifically, the process of step S4 is:
s41, judging whether t is within a specified range, for example, whether t is within 1 minute of the current time, if yes, continuing to execute the step S42, and if not, judging that the access request is an illegal request;
s42, referring to the table 1, judging whether the URI recorded by the parent is in a father node of an access node corresponding to the URI of the current access request, if so, continuing to execute the step S43, otherwise, judging that the access request is an illegal request;
s43, checking whether the key value of the current access request is correct, specifically, calculating md5{ uid + t + parent + secret (parent) } according to the uid, t and parent in the HTTP header of the current access request, judging whether the calculation result is equal to the key value in the HTTP header, if so, processing the request through the access request, and replying the client to add a new HTTP header in the next access request, wherein the uid in the new HTTP header is directly obtained from the HTTP header of the current access request, t is the time of replying, parent is the URI of the current access request, and key is obtained by using the updated uid, t and parent through a calculation formula md5{ uid + t + ent + secret (parent) }; otherwise, the access request is judged to be an illegal request.
And S5, when the access request is judged to be an illegal request, the server returns an error to the client or directly discards the access request, and the S6 is turned to.
And S6, ending the processing flow.
For the Web resource directed graph shown in fig. 2, the legal timestamp t satisfies 0< (current time-t) <60s, and a specific application example is as follows: the user logs in the website https:// www.buy.com, the client sends an access request 1'/login, after the server receives the access request 1, the server judges that the client is the root node of the Web resource directed graph, the current time is 1000, and the client is replied to add in the next access request:
HTTP header 1: uid = user1, t =1000, parent =/logic, key = md5 (1000 + user1+ secret [/logic ]);
then, the user browses goods normally, the client sends an access request 2"/view", after receiving the access request 2, the server determines that the access request 2 is not a root node and has a complete HTTP header, further determines whether the time difference between the current time and a time stamp t =1000 in the HTTP header of the access request 2 is less than 60s, refers to table 1, determines that "/logic" recorded by a parent is a parent node of an access node corresponding to the current access request 2"/view", determines that the current access request 2 is legal after checking that a key value is correct, and when the time is 1002, the replying client adds the information in the next access request again:
HTTP header 2: uid = user1, t =1002, parent =/view, key = md5 (1002 + user1+ secret [/view ]);
similarly, the user continues to browse the goods normally, the client sends the access request 3'/view again, after the server determines that the access request 3 is legal, and when the time is 1004, the replying client adds the following information again in the next access request:
HTTP header 3: uid = user1, t =1004, parent =/view, key = md5 (1004 + user1+ secret [/view ]);
therefore, the normal access sequence is maintained, it should be noted that malicious replay may cause the current access request to continue using the HTTP header of the replayed access request, for example, at time 1004, the user replays the access request 2, and will continue using the HTTP header 1 carried by the access request 2, and if the malicious user continues replaying the access request, the malicious user may be successfully identified according to a difference between the timestamp t in the HTTP header and the current time.
Referring to fig. 3, the present embodiment further provides a system for ensuring the ordering of a Web resource request, including a Web resource directed graph constructing module 1, a root node determining module 2, an HTTP header determining module 3, an HTTP header checking module 4, an illegal request processing module 5, and a flow ending module 6.
The Web resource directed graph constructing module 1 is used for controlling the server to construct a Web resource directed graph according to the Web resources provided by the content service provider and setting a password for each Web resource according to the URI of the Web resource; the Web resource directed graph comprises access nodes and directed edges, wherein each access node corresponds to a Web resource, and the directed edges indicate that a direct access path from an initial access node to a final access node exists; the Web resource directed graph building module 1 further determines a parent node corresponding to each access node.
The root node judging module 2 is used for judging whether the Web resource which the access request requires to access corresponds to a root node in the Web resource digraph when the server receives the access request of the client, if so, the server passes the access request and processes the request, and replies the client to add an HTTP head in the next access request and transfers the HTTP head to the flow ending module 6, otherwise, the HTTP head judging module 3 is transferred; the HTTP header includes a client identifier uid, a timestamp t of the reply, a parent recording the URI of the current access request, and a check code key = md5{ uid + t + parent + secret (parent) }, where the secret (parent) represents a password corresponding to the parent.
The HTTP header determining module 3 is configured to determine, by the server, whether the HTTP header of the current access request includes a complete uid, t, parent, and key, and if the determination result is yes, transfer to the HTTP header checking module 4, otherwise, determine that the access request is an illegal request, and transfer to the illegal request processing module 5.
The HTTP head check module 4 is used for the server to check whether t, parent and key in the HTTP head of the current access request are legal or not in sequence, if the check of the HTTP head check module is passed, the server passes the access request and processes the request, and meanwhile, the client is replied to add a new HTTP head in the next access request again and the flow is transferred to the flow ending module 6; otherwise, judging the access request as an illegal request, and turning to an illegal request processing module 5;
it should be noted that the uid in the new HTTP header is directly obtained from the HTTP header of the current access request, t is the time of reply, parent is the URI of the current access request, and key is calculated by md5{ uid + t + parent + secret (parent) } using the updated uid, t, and parent.
Specifically, the HTTP header check module 4 further includes:
the first judgment sub-module is used for judging whether t is in a specified range, if so, the second judgment sub-module is switched to, and otherwise, the HTTP header verification module 4 fails to verify;
the second judging submodule is used for judging whether the URI recorded by the parent is in a father node of an access node corresponding to the URI of the current access request, if so, the third judging submodule is switched to, and otherwise, the verification of the HTTP head verifying module 4 is not passed;
and the third judgment sub-module is used for calculating md5{ uid + t + parent + secret (parent) } according to uid, t and parent in the HTTP header of the current access request, and judging whether the calculation result is equal to the key value in the HTTP header, if so, the verification of the HTTP header verification module 4 is passed, otherwise, the verification of the HTTP header verification module 4 is not passed.
The illegal request processing module 5 is used for returning an error to the client side or directly discarding the access request when the access request is judged to be an illegal request, and transferring to the process ending module 6;
the flow ending module 6 is used for ending the processing flow once.
In this document, the terms front, back, upper and lower are used to define the components in the drawings and the positions of the components relative to each other, and are used for clarity and convenience of the technical solution. It is to be understood that the use of the directional terms should not be taken to limit the scope of the claims.
The embodiments and features of the embodiments described herein above may be combined with each other without conflict.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (8)

1. A method for ensuring the ordering of Web resource requests, comprising the steps of:
s1, a control server constructs a Web resource directed graph according to Web resources provided by a content service provider, and sets a password for each Web resource according to a URI of the Web resource;
s2, when the server receives an access request of the client, judging whether the Web resource which the access request requires to access corresponds to a root node in the Web resource directed graph or not, if so, the server processes the request through the access request, replies the client and adds an HTTP head in the next access request, and turning to S6, otherwise, executing the step S3; the HTTP header comprises a client identifier uid, a reply timestamp t, a parent for recording the URI of the current access request, and a check code key, wherein the check code key is as follows:
key=md5{uid+t+parent+secret(parent)},
in the formula, secret (parent) represents a password corresponding to the parent;
s3, the server checks whether the HTTP header of the current access request contains uid, t, parent and key, if all the HTTP headers exist, the step S4 is continuously executed, otherwise, the access request is judged to be an illegal request, and S5 is switched to;
s4, the server side sequentially checks whether t, parent and key in the HTTP header of the current access request are legal or not, if the check is passed, the server side passes the access request and processes the request, meanwhile, the replying client side adds a new HTTP header in the next access request again, and S6 is switched; otherwise, judging the access request to be an illegal request, and turning to S5;
s5, when the access request is judged to be an illegal request, the server returns an error to the client or directly discards the access request, and the S6 is switched;
and S6, ending the processing flow.
2. The method for guaranteeing the orderliness of Web resource requests according to claim 1, wherein in step S1, said Web resource directed graph includes access nodes and directed edges, where each access node corresponds to a Web resource, and said directed edges indicate that there exists a direct access path from an initial access node to a final access node; and in the process of constructing the Web resource directed graph, determining a father node corresponding to each access node.
3. The method for guaranteeing the ordering of Web resource requests according to claim 1 or 2, wherein the specific process of the step S4 is as follows:
s41, judging whether t is in a specified range, if yes, continuing to execute the step S42, and if not, checking to fail;
s42, judging whether the URI recorded by the parent is in the father node of the access node corresponding to the URI of the current access request, if so, continuing to execute the step S43, otherwise, checking the URI not to pass;
s43, according to uid, t and parent in the HTTP header of the current access request, calculating md5{ uid + t + parent + secret (parent) }, and judging whether the calculation result is equal to the key value in the HTTP header, if so, the check is passed, otherwise, the check is not passed.
4. The method according to claim 1, wherein in step S4, the uid in the new HTTP header is directly obtained from the HTTP header of the current access request, t is a time in reply, parent is a URI of the current access request, and key is calculated by md5{ uid + t + parent + secret (parent) } using the updated uid, t, and parent.
5. A system for ensuring ordering of Web resource requests, comprising:
the Web resource directed graph construction module is used for controlling the server to construct a Web resource directed graph according to the Web resources provided by the content service provider and setting a password for each Web resource according to the URI of the Web resource;
the root node judgment module is used for judging whether the Web resource which is required to be accessed by the access request corresponds to a root node in the Web resource directed graph or not when the server receives the access request of the client, if the judgment result of the root node judgment module is yes, the server passes the access request and processes the request, and simultaneously replies that the client adds an HTTP head in the next access request and transfers the HTTP head to the flow end module, otherwise, the HTTP head judgment module transfers the HTTP head to the flow end module; the HTTP header comprises a client identifier uid, a reply timestamp t, a parent for recording the URI of the current access request, and a check code key = md5{ uid + t + parent + secret (parent) }, wherein the secret (parent) represents a password corresponding to the parent;
the HTTP head judgment module is used for judging whether the HTTP head of the current access request contains complete uid, t, parent and key or not by the server side, if the judgment result of the HTTP head judgment module is yes, the HTTP head judgment module transfers the HTTP head judgment module to the HTTP head verification module, and if not, the HTTP head judgment module judges that the access request is an illegal request and transfers the HTTP head judgment module to the illegal request processing module;
the HTTP head checking module is used for the server side to check whether t, parent and key in the HTTP head of the current access request are legal or not in sequence, if the check of the HTTP head checking module is passed, the server side passes the access request and processes the request, and meanwhile, the client side is replied to add a new HTTP head in the next access request again and the HTTP head is transferred to the flow ending module; otherwise, judging the access request as an illegal request, and turning to an illegal request processing module;
the illegal request processing module is used for returning an error to the client side or directly discarding the access request by the server side when the access request is judged to be an illegal request, and turning to the flow ending module;
and the flow ending module is used for ending the processing flow once.
6. The system according to claim 5, wherein the Web resource directed graph constructed by the Web resource directed graph constructing module includes access nodes and directed edges, wherein each access node corresponds to a Web resource, and the directed edges indicate that there is a direct access path from an initial access node to a final access node; and the Web resource directed graph building module also determines a father node corresponding to each access node.
7. The system for guaranteeing the orderliness of Web resource requests according to claim 5 or 6, wherein said HTTP header check module comprises:
the first judgment sub-module is used for judging whether t is in a specified range, if the judgment result of the first judgment sub-module is yes, the second judgment sub-module is switched to, and if not, the verification of the HTTP head verification module is not passed;
the second judgment submodule is used for judging whether the URI recorded by the parent is in a father node of an access node corresponding to the URI of the current access request, if the judgment result of the second judgment submodule is yes, the third judgment submodule is switched to, and if not, the verification of the HTTP head verification module is not passed;
and the third judgment sub-module is used for calculating md5{ uid + t + parent + secret (parent) } according to uid, t and parent in the HTTP header of the current access request and judging whether the calculation result is equal to the key value in the HTTP header, if the judgment result of the third judgment sub-module is yes, the verification of the HTTP header verification module is passed, otherwise, the verification of the HTTP header verification module is not passed.
8. The system according to claim 5, wherein the uid in the new HTTP header added to the HTTP header check module is directly obtained from the HTTP header of the current access request, t is a time in reply, parent is the URI of the current access request, and key is obtained by using the updated uid, t, and parent according to the calculation formula md5{ uid + t + parent + secret (parent) }.
CN202010038343.2A 2020-01-14 2020-01-14 Method and system for ensuring ordering of Web resource requests Active CN111259296B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010038343.2A CN111259296B (en) 2020-01-14 2020-01-14 Method and system for ensuring ordering of Web resource requests

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010038343.2A CN111259296B (en) 2020-01-14 2020-01-14 Method and system for ensuring ordering of Web resource requests

Publications (2)

Publication Number Publication Date
CN111259296A CN111259296A (en) 2020-06-09
CN111259296B true CN111259296B (en) 2023-03-10

Family

ID=70954021

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010038343.2A Active CN111259296B (en) 2020-01-14 2020-01-14 Method and system for ensuring ordering of Web resource requests

Country Status (1)

Country Link
CN (1) CN111259296B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101388768A (en) * 2008-10-21 2009-03-18 北京启明星辰信息技术股份有限公司 Method and device for detecting malicious HTTP request
CN102739659A (en) * 2012-06-16 2012-10-17 华南师范大学 Authentication method for preventing replay attack
CN105491094A (en) * 2014-09-24 2016-04-13 腾讯科技(深圳)有限公司 HTTP request handling method and device
CN105656912A (en) * 2016-01-29 2016-06-08 广西咪付网络技术有限公司 Mobile intelligent terminal APP request process control method
CN107453878A (en) * 2017-08-11 2017-12-08 四川长虹电器股份有限公司 A kind of method for supporting the anti-tamper anti-replays of REST API

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018205840A (en) * 2017-05-30 2018-12-27 キヤノン株式会社 System, method therefor and program therefor

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101388768A (en) * 2008-10-21 2009-03-18 北京启明星辰信息技术股份有限公司 Method and device for detecting malicious HTTP request
CN102739659A (en) * 2012-06-16 2012-10-17 华南师范大学 Authentication method for preventing replay attack
CN105491094A (en) * 2014-09-24 2016-04-13 腾讯科技(深圳)有限公司 HTTP request handling method and device
CN105656912A (en) * 2016-01-29 2016-06-08 广西咪付网络技术有限公司 Mobile intelligent terminal APP request process control method
CN107453878A (en) * 2017-08-11 2017-12-08 四川长虹电器股份有限公司 A kind of method for supporting the anti-tamper anti-replays of REST API

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
窦浩 ; 武艳文 ; 段升强 ; .Web应用安全风险防护分析与防护研究.2012,(第03期),全文. *

Also Published As

Publication number Publication date
CN111259296A (en) 2020-06-09

Similar Documents

Publication Publication Date Title
US7827318B2 (en) User enrollment in an e-community
US8132239B2 (en) System and method for validating requests in an identity metasystem
US10412091B2 (en) Systems and methods for controlling sign-on to web applications
US8341711B1 (en) Automated login session extender for use in security analysis systems
WO2016188290A1 (en) Safety authentication method, device and system for api calling
JP4864289B2 (en) Network user authentication system and method
US7930736B2 (en) Providing selective access to a web site
US6629246B1 (en) Single sign-on for a network system that includes multiple separately-controlled restricted access resources
US20100138899A1 (en) Authentication intermediary server, program, authentication system and selection method
US20060064502A1 (en) Using Popular IDs To Sign On Creating A Single ID for Access
JP2005538434A (en) Method and system for user-based authentication in a federated environment
CN114616795B (en) Security mechanism for preventing retry or replay attacks
US7895644B1 (en) Method and apparatus for accessing computers in a distributed computing environment
US20100037301A1 (en) Management of user authentication
US7941830B1 (en) Authentication protocol for network security services
CN110753045A (en) Single sign-on method between different domains
CN112434054A (en) Audit log updating method and device
CA2844888A1 (en) System and method of extending a host website
US20060047662A1 (en) Capability support for web transactions
US8863263B2 (en) Server apparatus and program for single sign-on
EP2047400A2 (en) Security model for application and trading partner integration
CN111259296B (en) Method and system for ensuring ordering of Web resource requests
CN114722373A (en) Request processing method, device and system
CN116074107A (en) Communication data transmission method and device, electronic equipment and storage medium
TWI446772B (en) A cross - domain cookie access method, system and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant