当前位置: 代码迷 >> Java Web开发 >> 请教怎么判断请求是否由网站提交.安全有关问题
  详细解决方案

请教怎么判断请求是否由网站提交.安全有关问题

热度:80   发布时间:2016-04-17 14:01:14.0
请问如何判断请求是否由网站提交.安全问题
我想将一切由站外提交的请求全部拒绝.请问应该如何实现.所有请求只能通过网站里的超链接实现.禁外在本地构造一个form表单向网站提交数据.也有点想是防盗链接一样.一定要从网站的链接点击打开本网站的网页.

------解决方案--------------------

request.getHeader( "Rerferer ");
判断
------解决方案--------------------
login.asp
以下内容为程序代码:

……
<form action= "verify.asp " method= "post " name= "login ">
<input type= "hidden " name= "referer " value= " <%=Request.ServerVariables( "HTTP_REFERER ")%> ">
<input type= "hidden " name= "ser_name " value= " <%=Request.ServerVariables( "SERVER_NAME%> ">
用户名 <input type=text name=name value= " " maxlength= "20 ">
密码 <input type=password name=pwd value= " " maxlength= "20 ">
<input type=submit name=bt value= "确认 ">
<input type=reset name=bt value= "重置 ">
</form>
……
这里传递了2个参数referer,ser_name

verify.asp
以下内容为程序代码:

……
dim referer,ser_name
'取这2个参数
referer=Cstr(Request.ServerVariables( "HTTP_REFERER "))
ser_name=Cstr(Request.ServerVariables( "SERVER_NAME "))
'判断浏览器位置
if mid(referer,8,len(ser_name)) <> ser_name then
response.redirect "login.asp "
end if
……
jsp
out.println( "session.isNew(): "+session.isNew()+ " <br> ");
out.println( "session.getCreationTime(): "+session.getCreationTime()+ " <br> ");
out.println( "session.getId(): "+session.getId()+ " <br> ");
out.println( "request.getContextPath() "+request.getContextPath()+ " <br> ");
out.println( "request.getRemoteAddr() "+request.getRemoteAddr()+ " <br> ");
out.println( "request.getRemoteHost() "+request.getRemoteHost()+ " <br> ");
out.println( "request.getRemoteUser() "+request.getRemoteUser()+ " <br> ");
out.println( "request.getRequestURI() "+request.getRequestURI()+ " <br> ");
out.println( "request.getRequestURL() "+request.getRequestURL()+ " <br> ");
out.println( "request.getServerName() "+request.getServerName()+ " <br> ");
这样,如果你不是在该网站提交的数据,就不能够顺利登陆。
  相关解决方案