CN112751878A - Page request processing method and device - Google Patents

Page request processing method and device Download PDF

Info

Publication number
CN112751878A
CN112751878A CN202011643345.0A CN202011643345A CN112751878A CN 112751878 A CN112751878 A CN 112751878A CN 202011643345 A CN202011643345 A CN 202011643345A CN 112751878 A CN112751878 A CN 112751878A
Authority
CN
China
Prior art keywords
verification
token
client
request
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011643345.0A
Other languages
Chinese (zh)
Other versions
CN112751878B (en
Inventor
胡雨翠
张国兴
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202011643345.0A priority Critical patent/CN112751878B/en
Publication of CN112751878A publication Critical patent/CN112751878A/en
Application granted granted Critical
Publication of CN112751878B publication Critical patent/CN112751878B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/068Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • H04L9/16Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms the keys or algorithms being changed during operation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Abstract

The application provides a page request processing method and device, which are applied to the field of network security, wherein the method applied to a server can comprise the following steps: receiving a plurality of requests sent by a client side at the same time and a verification token carried by each request; verifying the verification token by using a verification array stored locally, and deleting the verified verification token from the verification array; when the verification token passes the verification, generating a new verification token, and adding the new verification token into the verification array; and returning a response corresponding to the verified request and the new verification token to the client so that the client stores the received new verification token. In the above scheme, by managing and maintaining a plurality of verification tokens between the front end and the back end and updating the used verification tokens in time, the application range of defending the CSRF is expanded on the basis of implementing CSRF defense, so that the defense method provided by the embodiment of the present application can be compatible with parallel sessions.

Description

Page request processing method and device
Technical Field
The present application relates to the field of network security, and in particular, to a method and an apparatus for processing a page request.
Background
At present, in the user authentication of the World Wide Web (Web), simple authentication can only ensure that a request is sent from a browser of a certain user, but cannot ensure that the request is sent by the user voluntarily. Cross-site Request Forgery (CSRF) is to use the vulnerability, and an attacker can access a once authenticated website by deceiving a browser, so that Forgery operations (e.g., sending mails, messages, property operations, etc.) can be executed, and loss is brought to users.
In the prior art, in order to protect against CSRF, a valid check value is generally used for back-end check when a request is constructed, and after the back-end check is successful, a new valid check value is allocated to the next request of the front-end, so as to loop. Thus, since the attacker cannot forge the correct check value and the life cycle of the check value is short, the attacker cannot pass the check of the website.
However, parallel sessions cannot be compatible with the defense method described above. When a user browses a site by using a tabbed mode or browses a site by using a plurality of browser windows, only the last opened form can be successfully verified, and the previous form can be killed by mistake, so that a parallel session cannot be used, that is, the application range of defending against CSRF is small.
Disclosure of Invention
An object of the present invention is to provide a page request processing method and apparatus, so as to solve the technical problem of a smaller application range of CSRF defense.
In order to achieve the above purpose, the technical solutions provided in the embodiments of the present application are as follows:
in a first aspect, an embodiment of the present application provides a page request processing method, applied to a server, including: receiving a plurality of requests sent by a client side at the same time and a verification token carried by each request; verifying the verification token by using a verification array stored locally, and deleting the verified verification token from the verification array; wherein the validation array comprises a plurality of validation tokens; when the verification token passes the verification, generating a new verification token and adding the new verification token to the verification array; and returning a response corresponding to the request and the new verification token to the client so that the client stores and receives the new verification token. In the above scheme, a plurality of authentication tokens are managed and maintained between a front end (client) and a back end (server), and used authentication tokens are updated in time, so that the application range of defending CSRF is expanded on the basis of implementing CSRF defense, and the defense method provided by the embodiment of the present application can be compatible with parallel sessions.
In an optional embodiment of the present application, before receiving a plurality of requests simultaneously sent by a client and an authentication token carried by each request, the method further includes: receiving a login request sent by the client to establish connection with the client according to the login request; and generating the verification array and sending the verification array to the client. In the above scheme, after the connection relationship between the client and the server is established through user login, the server may generate authentication data including a plurality of authentication tokens and send the authentication data to the client, so that the client may implement CSRF defense when initiating a parallel session to the server, thereby expanding the application range of CSRF defense.
In an optional embodiment of the present application, the generating the verification array includes: and generating the verification array and the aging time corresponding to each verification token in the verification array, so that the corresponding verification token is updated after the aging time is reached. In the above scheme, the generated verification token may correspond to an aging time, so as to further improve security when the client and the server perform data transmission.
In an optional embodiment of the present application, the receiving, by a client, a plurality of requests sent simultaneously and an authentication token carried by each request includes: receiving an encrypted data packet sent by the client; and decrypting the encrypted data packet to obtain the request and the verification token. In the above scheme, during the data transmission between the client and the server, the transmitted data can be encrypted, so that the security during the data transmission between the client and the server is further improved.
In a second aspect, an embodiment of the present application provides a page request processing method, applied to a client, including: when a plurality of requests are initiated simultaneously, allocating a verification token for each request from a verification array stored locally, and deleting the allocated verification token from the verification array; wherein the validation array comprises a plurality of validation tokens; sending the request and the authentication token to a server to enable the server to authenticate the authentication token; when the verification token passes the verification, receiving a response corresponding to the request returned by the server and a new verification token; adding the new verification token to the verification array. In the above scheme, a plurality of authentication tokens are managed and maintained between a front end (client) and a back end (server), and used authentication tokens are updated in time, so that the application range of defending CSRF is expanded on the basis of implementing CSRF defense, and the defense method provided by the embodiment of the present application can be compatible with parallel sessions.
In an optional embodiment of the present application, before said when a plurality of requests are initiated simultaneously, allocating a validation token for each request from a locally stored validation array, and deleting the allocated validation token from the validation array, the method further comprises: acquiring user login information; sending a login request to the server according to the user login information so as to establish connection with the server according to the login request; and receiving the verification array sent by the server. In the above scheme, after the connection relationship between the client and the server is established through user login, the client may receive the authentication data including the plurality of authentication tokens generated by the server, so that the client may implement CSRF defense when initiating a parallel session to the server, thereby expanding the application range of CSRF defense.
In an optional embodiment of the present application, the sending the request and the authentication token to the server includes: encrypting the request and the verification token to obtain an encrypted data packet; and sending the encrypted data packet to the server. In the above scheme, during the data transmission between the client and the server, the transmitted data can be encrypted, so that the security during the data transmission between the client and the server is further improved.
In a third aspect, an embodiment of the present application provides a page request processing apparatus, which is applied to a server, and includes: the first receiving module is used for receiving a plurality of requests sent by the client side at the same time and the verification token carried by each request; the verification module is used for verifying the verification token by utilizing a locally stored verification array and deleting the verified verification token from the verification array; wherein the validation array comprises a plurality of validation tokens; a first generating module, configured to generate a new verification token when the verification token passes verification, and add the new verification token to the verification array; and the return module is used for returning a response corresponding to the request and the new verification token to the client so that the client stores and receives the new verification token. In the above scheme, a plurality of authentication tokens are managed and maintained between a front end (client) and a back end (server), and used authentication tokens are updated in time, so that the application range of defending CSRF is expanded on the basis of implementing CSRF defense, and the defense method provided by the embodiment of the present application can be compatible with parallel sessions.
In an alternative embodiment of the present application, the apparatus further comprises: the third receiving module is used for receiving the login request sent by the client so as to establish connection with the client according to the login request; and the second generation module is used for generating the verification array and sending the verification array to the client. In the above scheme, after the connection relationship between the client and the server is established through user login, the server may generate authentication data including a plurality of authentication tokens and send the authentication data to the client, so that the client may implement CSRF defense when initiating a parallel session to the server, thereby expanding the application range of CSRF defense.
In an optional embodiment of the present application, the second generating module is further configured to: and generating the verification array and the aging time corresponding to each verification token in the verification array, so that the corresponding verification token is updated after the aging time is reached. In the above scheme, the generated verification token may correspond to an aging time, so as to further improve security when the client and the server perform data transmission.
In an optional embodiment of the present application, the first receiving module is further configured to: receiving an encrypted data packet sent by the client; and decrypting the encrypted data packet to obtain the request and the verification token. In the above scheme, during the data transmission between the client and the server, the transmitted data can be encrypted, so that the security during the data transmission between the client and the server is further improved.
In a fourth aspect, an embodiment of the present application provides a page request processing apparatus, which is applied to a client, and includes: the distribution module is used for distributing a verification token for each request from a verification array stored locally and deleting the distributed verification token from the verification array when a plurality of requests are initiated simultaneously; wherein the validation array comprises a plurality of validation tokens; a sending module, configured to send the request and the authentication token to a server, so that the server authenticates the authentication token; the second receiving module is used for receiving a response corresponding to the request returned by the server and a new verification token when the verification token passes the verification; an adding module for adding the new verification token to the verification array. In the above scheme, a plurality of authentication tokens are managed and maintained between a front end (client) and a back end (server), and used authentication tokens are updated in time, so that the application range of defending CSRF is expanded on the basis of implementing CSRF defense, and the defense method provided by the embodiment of the present application can be compatible with parallel sessions.
In an alternative embodiment of the present application, the apparatus further comprises: the acquisition module is used for acquiring user login information; the establishing module is used for sending a login request to the server according to the user login information so as to establish connection with the server according to the login request; and the fourth receiving module is used for receiving the verification array sent by the server. In the above scheme, after the connection relationship between the client and the server is established through user login, the client may receive the authentication data including the plurality of authentication tokens generated by the server, so that the client may implement CSRF defense when initiating a parallel session to the server, thereby expanding the application range of CSRF defense.
In an optional embodiment of the present application, the sending module is further configured to: encrypting the request and the verification token to obtain an encrypted data packet; and sending the encrypted data packet to the server. In the above scheme, during the data transmission between the client and the server, the transmitted data can be encrypted, so that the security during the data transmission between the client and the server is further improved.
In a fifth aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory, and a bus; the processor and the memory are communicated with each other through the bus; the memory stores program instructions executable by the processor, the processor invoking the program instructions to be able to perform a page request processing method as in the first or second aspect.
In a sixth aspect, embodiments of the present application provide a non-transitory computer-readable storage medium storing computer instructions that cause the computer to perform the page request processing method as in the first aspect or the second aspect.
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a block diagram illustrating a structure of a page request processing system according to an embodiment of the present disclosure;
fig. 2 is a flowchart of a process of establishing a connection between a server and a client according to an embodiment of the present application;
fig. 3 is a flowchart of a page request processing method according to an embodiment of the present application;
fig. 4 is a block diagram illustrating a structure of a page request processing apparatus applied to a server according to an embodiment of the present disclosure;
fig. 5 is a block diagram illustrating a structure of a page request processing apparatus applied to a client according to an embodiment of the present disclosure;
fig. 6 is a block diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
Referring to fig. 1, fig. 1 is a block diagram illustrating a page request processing system according to an embodiment of the present disclosure, where the page request processing system 100 may include a server 101 and a client 102. The server 101 and the client 102 may be in communication connection in a wired or wireless manner, that is, the client 102 may send a request to the server 101 and the server 101 may return a corresponding response to the client 102 according to the received request.
Take the example where a user accesses the server 101 through a browser interface on the client 102 interface. When a user browses a site using a tabbed method or browses a site using multiple browser windows, it may be considered that the client 102 executes parallel sessions and initiates a request to the server 101, and at this time, it is impossible to perform CSRF defense on each parallel session by using a single valid check value in the prior art.
Based on the above analysis, the embodiment of the present application provides a page request processing method, which can be applied to the page request processing system 100, and while CSRF defense is guaranteed, parallel sessions are supported, and the page request processing method is higher in usability and wider in application range. The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
Referring to fig. 2, fig. 2 is a flowchart of a process of establishing a connection between a server and a client according to an embodiment of the present application, where the process of establishing a connection between a server and a client may include the following steps:
step S201: the client acquires user login information.
Step S202: the client sends a login request to the server according to the user login information so as to establish connection with the server according to the login request.
Step S203: and the server receives a login request sent by the client so as to establish connection with the client according to the login request.
Step S204: the server generates a validation array and sends the validation array to the client.
Step S205: the client receives the verification array sent by the server.
Specifically, the client may obtain the user login information and send a login request to the server, the server may return a corresponding response to the client after receiving the login request sent by the client, and the client and the server may establish a connection relationship between the client and the server based on the login request and the returned response.
The client obtains the user login information in various ways, for example: the user can input login information through the interactive interface of the client, the client can also directly read the login information of the user from the cloud, and the like.
After the server establishes connection with the client, the server can generate a verification array and send the verification array to the client, and both the client and the server store the verification array. Wherein the validation array may comprise a plurality of validation tokens (tokens), each for validating the authenticity of a request sent by a client to a server.
As an embodiment, the server may randomly generate a plurality of authentication values as the authentication token. The embodiment of the present application does not specifically limit the specific verification value of the verification token and the number of generated verification tokens, for example: the server may generate 100 verification tokens in total, from 1 to 100, and the server may also generate a random number of irregular verification tokens, which is not specifically limited in this embodiment of the present application.
As another embodiment, the administrator may set the number of generated verification tokens and a specific verification value of the generated verification tokens in advance, and the server may perform the setting. Wherein the number of authentication tokens set by the administrator may be greater than the number of requests that the client may initiate simultaneously.
When the server generates the verification array, for example, to improve the security when the client and the server perform data transmission, the aging time of each verification token may be generated at the same time, that is, the step S204 may include the following steps:
a verification array and an aging time corresponding to each verification token in the verification array are generated, so that after the aging time is reached, the corresponding verification token is updated.
After the server generates an aging time for each verification token, the server may send the verification token and the aging time to the client together, so that the server and the client store the aging time corresponding to each verification token time in addition to the verification token. When the aging time of a certain verification token is reached, the server and the client can delete the token in the verification array stored in each of the server and the client.
In one embodiment, after the server and the client delete the verification token after the aging time arrives, the server may generate a new verification token and a corresponding aging time and send the new verification token and the corresponding aging time to the client, so as to supplement the verification tokens in the verification arrays of the server and the client.
Obviously, as another embodiment, after deleting the verification token after the aging time reaches, the server and the client may not immediately generate a new verification token, but when the number of the verification tokens in the verification array of the server and the client is less than a preset threshold, the server and the client may supplement the new verification token.
Similarly, the aging time in the embodiment of the present application is not specifically limited, and the aging times of the plurality of verification tokens may be the same or different, and those skilled in the art may appropriately adjust the aging times according to actual situations. The aging time set by a person skilled in the art may be longer than the cycle of heartbeat message interaction.
In the above scheme, after the connection relationship between the client and the server is established through user login, the server may generate authentication data including a plurality of authentication tokens and send the authentication data to the client, so that the client may implement CSRF defense when initiating a parallel session to the server, thereby expanding the application range of CSRF defense.
After the server and the client establish connection and the corresponding verification arrays are respectively stored, when the client initiates a request to the server, the page request processing method provided by the embodiment of the application can be executed. It can be understood that, when the client initiates a single request to the server, a person skilled in the art may implement the verification by combining with the prior art, which is not described in detail in this embodiment of the present application. The authentication process when a client initiates a parallel session to a server is described below.
Referring to fig. 3, fig. 3 is a flowchart of a page request processing method according to an embodiment of the present disclosure, where the page request processing method includes the following steps:
step S301: when a client side initiates a plurality of requests at the same time, a verification token is distributed for each request from a verification array stored locally, and the distributed verification tokens are deleted from the verification array.
Step S302: the client sends a request to the server along with an authentication token.
Step S303: the server receives a plurality of requests sent by the client side at the same time and the verification token carried by each request.
Step S304: the server verifies the validation token using the locally stored validation array and deletes the verified validation token from the validation array.
Step S305: when the verification token passes the verification, the server generates a new verification token and adds the new verification token to the verification array.
Step S306: the server returns a response corresponding to the request and a new authentication token to the client.
Step S307: and the client receives a response corresponding to the request passing the verification and a new verification token returned by the server.
Step S308: the client adds the new authentication token to the authentication array.
Specifically, when the client initiates multiple requests to the server at the same time, a different authentication token may be allocated to each request from the locally stored authentication array, and the corresponding authentication token in the authentication data may be deleted. Then, the client sends the request and the corresponding authentication token to the server for authentication.
The client can package the request and the verification token and send the package to the server, and can also add the verification token into a message of the request and send the message to the server. For example, if the request sent by the client to the server is an HTTP request, the authentication token may be put into a custom attribute in an HTTP header, or the authentication token may be used as a parameter in an HTTP message body, and the like.
After the server receives the plurality of requests and the authentication token corresponding to each request, the server may authenticate the authentication token with the locally stored authentication array and delete the authentication token from the authentication array for each request and corresponding authentication token. There are two cases of the result after verification: first, the authentication token fails authentication; second, the authentication token verifies.
For the first case, the server may disconnect from the client, and the server and the client may release the respective stored authentication arrays.
For the second case described above, the server may generate a new authentication token and add the new authentication token to the authentication array. And when the server returns a response corresponding to the request passing the verification to the client, the server sends the newly generated verification token to the client at the same time. Similarly, the server may package the request and the authentication token and send the package to the client, or add the authentication token to a message of the request and send the message to the client, which is also not specifically limited in this embodiment of the present application.
After receiving the response corresponding to the request returned by the server and the new authentication token, the client may add the new authentication token to the authentication array, so that the above-described page request processing method may be repeated when a subsequent request is initiated.
It will be appreciated that when the connection between the server and the client is closed, the server and the client may release their respective authentication arrays.
In one embodiment, in the process of transmitting data between the server and the client, in order to improve security, an encrypted transmission mode may be adopted. That is, the process of data transmission between the server and the client specifically includes the following steps:
in the first step, the client encrypts the request and the verification token to obtain an encrypted data packet.
And secondly, the client sends the encrypted data packet to the server.
And thirdly, the server receives the encrypted data packet sent by the client.
And fourthly, the server decrypts the encrypted data packet to obtain the request and the verification token.
In the above scheme, a plurality of authentication tokens are managed and maintained between a front end (client) and a back end (server), and used authentication tokens are updated in time, so that the application range of defending CSRF is expanded on the basis of implementing CSRF defense, and the defense method provided by the embodiment of the present application can be compatible with parallel sessions.
Referring to fig. 4, fig. 4 is a block diagram illustrating a structure of a page request processing apparatus applied to a server according to an embodiment of the present disclosure, where the page request processing apparatus 400 may include: a first receiving module 401, configured to receive multiple requests sent by a client at the same time and a verification token carried in each request; a verification module 402, configured to verify the verification token by using a locally stored verification array, and delete the verified verification token from the verification array; wherein the validation array comprises a plurality of validation tokens; a first generating module 403, configured to generate a new verification token when the verification token passes verification, and add the new verification token to the verification array; a returning module 404, configured to return a response corresponding to the request and the new authentication token to the client, so that the client stores the new authentication token received.
In the embodiment of the application, a plurality of verification tokens are managed and maintained between a front end (client) and a back end (server), and used verification tokens are updated in time, so that the application range of defending CSRF is expanded on the basis of realizing CSRF defense, and the defense method provided by the embodiment of the application can be compatible with parallel sessions.
Further, the page request processing apparatus 400 further includes: the third receiving module is used for receiving the login request sent by the client so as to establish connection with the client according to the login request; and the second generation module is used for generating the verification array and sending the verification array to the client.
In the embodiment of the application, after the connection relationship between the client and the server is established through user login, the server can generate verification data comprising a plurality of verification tokens and send the verification data to the client, so that the client can realize CSRF defense when initiating a parallel session to the server, and therefore the application range of CSRF defense is expanded.
Further, the second generating module is further configured to: and generating the verification array and the aging time corresponding to each verification token in the verification array, so that the corresponding verification token is updated after the aging time is reached.
In the embodiment of the application, the generated verification token can correspond to an aging time, so that the security of the client and the server during data transmission is further improved.
Further, the first receiving module 401 is further configured to: receiving an encrypted data packet sent by the client; and decrypting the encrypted data packet to obtain the request and the verification token.
In the embodiment of the application, in the process of data transmission between the client and the server, the transmitted data can be encrypted, so that the security of the data transmission between the client and the server is further improved.
Referring to fig. 5, fig. 5 is a block diagram illustrating a structure of a page request processing apparatus applied to a client according to an embodiment of the present disclosure, where the page request processing apparatus 500 may include: an allocating module 501, configured to, when multiple requests are initiated simultaneously, allocate one validation token for each request from a locally stored validation array, and delete the allocated validation token from the validation array; wherein the validation array comprises a plurality of validation tokens; a sending module 502, configured to send the request and the authentication token to a server, so that the server authenticates the authentication token; a second receiving module 503, configured to receive, when the verification token passes verification, a response corresponding to the request and a new verification token returned by the server; an adding module 504 for adding the new authentication token to the authentication array.
In the embodiment of the application, a plurality of verification tokens are managed and maintained between a front end (client) and a back end (server), and used verification tokens are updated in time, so that the application range of defending CSRF is expanded on the basis of realizing CSRF defense, and the defense method provided by the embodiment of the application can be compatible with parallel sessions.
Further, the page request processing apparatus 500 further includes: the acquisition module is used for acquiring user login information; the establishing module is used for sending a login request to the server according to the user login information so as to establish connection with the server according to the login request; and the fourth receiving module is used for receiving the verification array sent by the server.
In the embodiment of the application, after the connection relationship between the client and the server is established through user login, the client can receive the verification data which is generated by the server and comprises a plurality of verification tokens, so that the client can realize CSRF defense when initiating a parallel session to the server, and the application range of the CSRF defense is expanded.
Further, the sending module 502 is further configured to: encrypting the request and the verification token to obtain an encrypted data packet; and sending the encrypted data packet to the server.
In the embodiment of the application, in the process of data transmission between the client and the server, the transmitted data can be encrypted, so that the security of the data transmission between the client and the server is further improved.
Referring to fig. 6, fig. 6 is a block diagram of an electronic device according to an embodiment of the present disclosure, where the electronic device 600 includes: at least one processor 601, at least one communication interface 602, at least one memory 603, and at least one communication bus 604. Wherein the communication bus 604 is used for implementing direct connection communication of these components, the communication interface 602 is used for communicating signaling or data with other node devices, and the memory 603 stores machine-readable instructions executable by the processor 601. When the electronic device 600 is in operation, the processor 601 communicates with the memory 603 via the communication bus 604, and the machine-readable instructions, when called by the processor 601, perform the page request processing method described above.
For example, the processor 601 of the embodiment of the present application may implement the following method by reading the computer program from the memory 603 through the communication bus 604 and executing the computer program: step S201: when a client side initiates a plurality of requests at the same time, a verification token is distributed for each request from a verification array stored locally, and the distributed verification tokens are deleted from the verification array. Step S202: the client sends a request to the server along with an authentication token. Step S203: the server receives a plurality of requests sent by the client side at the same time and the verification token carried by each request. Step S204: the server verifies the validation token using the locally stored validation array and deletes the verified validation token from the validation array. Step S205: when the verification token passes the verification, the server generates a new verification token and adds the new verification token to the verification array. Step S206: the server returns a response corresponding to the authenticated request and a new authentication token to the client. Step S206: and the client receives a response corresponding to the request passing the verification and a new verification token returned by the server. Step S208: the client adds the new authentication token to the authentication array.
The processor 601 may be an integrated circuit chip having signal processing capabilities. The Processor 601 may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field-Programmable Gate arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components. Which may implement or perform the various methods, steps, and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The Memory 603 may include, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Read Only Memory (EPROM), an electrically Erasable Read Only Memory (EEPROM), and the like.
It will be appreciated that the configuration shown in FIG. 6 is merely illustrative and that electronic device 600 may include more or fewer components than shown in FIG. 6 or have a different configuration than shown in FIG. 6. The components shown in fig. 6 may be implemented in hardware, software, or a combination thereof. In this embodiment, the electronic device 600 may be, but is not limited to, an entity device such as a desktop, a laptop, a smart phone, an intelligent wearable device, and a vehicle-mounted device, and may also be a virtual device such as a virtual machine. In addition, the electronic device 600 is not necessarily a single device, but may also be a combination of multiple devices, such as a server cluster, and the like. In this embodiment of the application, both the server and the client in the page request processing method may be implemented by using the electronic device 600 shown in fig. 6.
Embodiments of the present application further provide a computer program product, including a computer program stored on a non-transitory computer-readable storage medium, where the computer program includes program instructions, and when the program instructions are executed by a computer, the computer is capable of executing the steps of the page request processing method in the foregoing embodiments, for example, including: receiving a plurality of requests sent by a client side at the same time and a verification token carried by each request; verifying the verification token by using a verification array stored locally, and deleting the verified verification token from the verification array; wherein the validation array comprises a plurality of validation tokens; when the verification token passes the verification, generating a new verification token and adding the new verification token to the verification array; returning a response corresponding to the authenticated request and the new authentication token to the client, so that the client stores the received new authentication token.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (11)

1. A page request processing method is applied to a server and comprises the following steps:
receiving a plurality of requests sent by a client side at the same time and a verification token carried by each request;
verifying the verification token by using a verification array stored locally, and deleting the verified verification token from the verification array; wherein the validation array comprises a plurality of validation tokens;
when the verification token passes the verification, generating a new verification token and adding the new verification token to the verification array;
and returning a response corresponding to the request and the new verification token to the client so that the client stores and receives the new verification token.
2. The method for processing a page request according to claim 1, wherein before receiving a plurality of requests sent by the client at the same time and the authentication token carried by each request, the method further comprises:
receiving a login request sent by the client to establish connection with the client according to the login request;
and generating the verification array and sending the verification array to the client.
3. The page request processing method of claim 2, wherein the generating the validation array comprises:
and generating the verification array and the aging time corresponding to each verification token in the verification array, so that the corresponding verification token is updated after the aging time is reached.
4. The method for processing a page request according to claim 1, wherein the receiving a plurality of requests sent by a client at the same time and the authentication token carried by each request comprises:
receiving an encrypted data packet sent by the client;
and decrypting the encrypted data packet to obtain the request and the verification token.
5. A page request processing method is applied to a client and comprises the following steps:
when a plurality of requests are initiated simultaneously, allocating a verification token for each request from a verification array stored locally, and deleting the allocated verification token from the verification array; wherein the validation array comprises a plurality of validation tokens;
sending the request and the authentication token to a server to enable the server to authenticate the authentication token;
when the verification token passes the verification, receiving a response corresponding to the request returned by the server and a new verification token;
adding the new verification token to the verification array.
6. The method for processing a page request according to claim 5, wherein before said when a plurality of requests are simultaneously issued, allocating a validation token for each request from a locally stored validation array and deleting the allocated validation token from the validation array, the method further comprises:
acquiring user login information;
sending a login request to the server according to the user login information so as to establish connection with the server according to the login request;
and receiving the verification array sent by the server.
7. The method for processing a page request according to claim 5, wherein said sending the request and the authentication token to the server comprises:
encrypting the request and the verification token to obtain an encrypted data packet;
and sending the encrypted data packet to the server.
8. A page request processing apparatus, applied to a server, comprising:
the first receiving module is used for receiving a plurality of requests sent by the client side at the same time and the verification token carried by each request;
the verification module is used for verifying the verification token by utilizing a locally stored verification array and deleting the verified verification token from the verification array; wherein the validation array comprises a plurality of validation tokens;
a first generating module, configured to generate a new verification token when the verification token passes verification, and add the new verification token to the verification array;
and the return module is used for returning a response corresponding to the request and the new verification token to the client so that the client stores and receives the new verification token.
9. A page request processing device applied to a client comprises:
the distribution module is used for distributing a verification token for each request from a verification array stored locally and deleting the distributed verification token from the verification array when a plurality of requests are initiated simultaneously; wherein the validation array comprises a plurality of validation tokens;
a sending module, configured to send the request and the authentication token to a server, so that the server authenticates the authentication token;
the second receiving module is used for receiving a response corresponding to the request returned by the server and a new verification token when the verification token passes the verification;
an adding module for adding the new verification token to the verification array.
10. An electronic device, comprising: a processor, a memory, and a bus;
the processor and the memory are communicated with each other through the bus;
the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the page request processing method of any of claims 1-4 or the page request processing method of any of claims 5-7.
11. A non-transitory computer-readable storage medium storing computer instructions which, when executed by a computer, cause the computer to perform the page request processing method according to any one of claims 1 to 4 or the page request processing method according to any one of claims 5 to 7.
CN202011643345.0A 2020-12-30 2020-12-30 Page request processing method and device Active CN112751878B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011643345.0A CN112751878B (en) 2020-12-30 2020-12-30 Page request processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011643345.0A CN112751878B (en) 2020-12-30 2020-12-30 Page request processing method and device

Publications (2)

Publication Number Publication Date
CN112751878A true CN112751878A (en) 2021-05-04
CN112751878B CN112751878B (en) 2023-03-24

Family

ID=75651261

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011643345.0A Active CN112751878B (en) 2020-12-30 2020-12-30 Page request processing method and device

Country Status (1)

Country Link
CN (1) CN112751878B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114172664A (en) * 2021-12-07 2022-03-11 北京天融信网络安全技术有限公司 Data encryption method, data decryption method, data encryption device, data decryption device, electronic equipment and storage medium

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130159248A1 (en) * 2011-12-20 2013-06-20 Klaus Otto Mueller Merge monitor for table delta partitions
CN103561417A (en) * 2013-11-08 2014-02-05 五八同城信息技术有限公司 Method for improving response quality of mobile client products to user request
US8966599B1 (en) * 2013-03-14 2015-02-24 Amazon Technologies, Inc. Automatic token renewal for device authentication
CN106464497A (en) * 2014-05-23 2017-02-22 谷歌公司 Methods and systems of issuing, transmitting and managing tokens using a low-latency session syndication framework
CN107579926A (en) * 2017-10-20 2018-01-12 南京易捷思达软件科技有限公司 The QoS methods to set up of Ceph cloud storage systems based on token bucket algorithm
CN108073798A (en) * 2016-11-08 2018-05-25 Sap欧洲公司 Perform the frame of system operation
CN109547481A (en) * 2018-12-28 2019-03-29 深圳竹云科技有限公司 A kind of website user's conversation managing method based on Redis ordered set and token mode
CN109660343A (en) * 2019-01-17 2019-04-19 平安科技(深圳)有限公司 Token updating method, device, computer equipment and storage medium
US20190333055A1 (en) * 2018-04-27 2019-10-31 Visa International Service Association Secure authentication system with token service
CN111478923A (en) * 2020-04-28 2020-07-31 华为技术有限公司 Access request response method and device and electronic equipment
CN111478910A (en) * 2020-04-09 2020-07-31 北京金堤科技有限公司 User identity authentication method and device, electronic equipment and storage medium

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130159248A1 (en) * 2011-12-20 2013-06-20 Klaus Otto Mueller Merge monitor for table delta partitions
US8966599B1 (en) * 2013-03-14 2015-02-24 Amazon Technologies, Inc. Automatic token renewal for device authentication
CN103561417A (en) * 2013-11-08 2014-02-05 五八同城信息技术有限公司 Method for improving response quality of mobile client products to user request
CN106464497A (en) * 2014-05-23 2017-02-22 谷歌公司 Methods and systems of issuing, transmitting and managing tokens using a low-latency session syndication framework
CN108073798A (en) * 2016-11-08 2018-05-25 Sap欧洲公司 Perform the frame of system operation
CN107579926A (en) * 2017-10-20 2018-01-12 南京易捷思达软件科技有限公司 The QoS methods to set up of Ceph cloud storage systems based on token bucket algorithm
US20190333055A1 (en) * 2018-04-27 2019-10-31 Visa International Service Association Secure authentication system with token service
CN109547481A (en) * 2018-12-28 2019-03-29 深圳竹云科技有限公司 A kind of website user's conversation managing method based on Redis ordered set and token mode
CN109660343A (en) * 2019-01-17 2019-04-19 平安科技(深圳)有限公司 Token updating method, device, computer equipment and storage medium
CN111478910A (en) * 2020-04-09 2020-07-31 北京金堤科技有限公司 User identity authentication method and device, electronic equipment and storage medium
CN111478923A (en) * 2020-04-28 2020-07-31 华为技术有限公司 Access request response method and device and electronic equipment

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
SXSNWANGRENFEI: ""Token方式防御CSRF攻击,当打开多个页面,前面的页面失效怎么办"", 《HTTPS://SEGMENTFAULT.COM/Q/1010000020696206,SXSNWANGRENFEI》 *
大陶陶: ""web安全之token"", 《HTTPS://WWW.CNBLOGS.COM/BUKUDEKONG/P/3829875.HTML》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114172664A (en) * 2021-12-07 2022-03-11 北京天融信网络安全技术有限公司 Data encryption method, data decryption method, data encryption device, data decryption device, electronic equipment and storage medium
CN114172664B (en) * 2021-12-07 2024-02-09 天融信雄安网络安全技术有限公司 Data encryption and data decryption methods and devices, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN112751878B (en) 2023-03-24

Similar Documents

Publication Publication Date Title
US10263969B2 (en) Method and apparatus for authenticated key exchange using password and identity-based signature
US10630667B2 (en) Client, server, method and identity verification system
US9838205B2 (en) Network authentication method for secure electronic transactions
US9537861B2 (en) Method of mutual verification between a client and a server
CN110177124B (en) Identity authentication method based on block chain and related equipment
CN117579281A (en) Method and system for ownership verification using blockchain
US9641340B2 (en) Certificateless multi-proxy signature method and apparatus
CN110099048B (en) Cloud storage method and equipment
CN112333198A (en) Secure cross-domain login method, system and server
TW201917614A (en) Digital certificate application
US20160241536A1 (en) System and methods for user authentication across multiple domains
CN108900561A (en) The method, apparatus and system of single-sign-on
CN114143108B (en) Session encryption method, device, equipment and storage medium
EP2908493A2 (en) Secure communication systems
EP3133791B1 (en) Double authentication system for electronically signed documents
KR101253683B1 (en) Digital Signing System and Method Using Chained Hash
CN111062059B (en) Method and device for service processing
CN114168923B (en) Group CA certificate generation method and system based on digital certificate
JP2022534677A (en) Protecting online applications and web pages that use blockchain
CN114168922B (en) User CA certificate generation method and system based on digital certificate
CN104618307A (en) Online banking transaction authentication system based on trusted computing platform
CN110610418B (en) Transaction state query method, system, device and storage medium based on block chain
CN114513350A (en) Identity verification method, system and storage medium
CN112751878B (en) Page request processing method and device
CN117336092A (en) Client login method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant