Web front end

  1. A random token is generated every time an AJAX Web request (including POST and GET) is sent.
  2. The token is put into the Header of each AJAX request with the name of HALO_TOKEN and sent to the server as part of the HTTP packet.
  3. CSRF risk warning for special error code (0008) of server response.
Token creation

  1. Read the SEED value. SEED can be either a sessionId or a fixed value. SEED suggests 24 bits, not enough to fill up after 0.

  2. Before each server request is sent, a random reversible plaintext is generated based on the SEED and the number of milliseconds of the current client system time.

    • Randomly select 5 digits within the length of the SEED text.
    • Combine the character contents of each number in the SEED with the number to form a key-value pair. Key-value pairs are separated by ‘:’.
    • Concatenate all key-value pairs by ‘,’. Form long strings of text.
    • Gets the number of milliseconds of the current client system time, adding it to the end of the text with ‘_’ to form clear text.

  3. Use the 3DES algorithm to encrypt the plaintext generated in Step 2 using the SEED as the key to form ciphertext.

  4. Use Base64 to encode the ciphertext to form a token.

SEED gets and sets

Front-end application developers can get a valid SEED in two ways:

SessionID as a SEED
  1. After the user logs in successfully, the front-end program accesses “/web/ sessionID “and obtains the current user sessionID from the data field of the response packet.
  2. Note: Put the sessionId in the localStorage of the browser.
localStorage.setItem("_HALOSESSIONID", sessionId);
Copy the code
Fixed the SEED setting
  1. After the user visits the website for the first time, JS will put the fixed SEED value agreed with the server developer into localStorage.

Note: Fixing the SEED value requires coordination with the server side. The configurations of the two parties must be consistent.

The service side

  1. Intercepts all SpringMVC requests.
  2. Get the token value from header’s ‘HALO_TOKEN’, or raise (0008) if not.
  3. Decrypt and verify token content.
  4. Depending on the decryption validation, the corresponding business logic is executed or a (0008) error is returned.
Token decryption and authentication
  1. Gets the SEED for the current request.
  2. Perform Base64 decoding for the token to restore the ciphertext.
  3. The 3DES algorithm is used to decrypt the ciphertext using SEED as the key.
  4. Verify the decrypted token content
    • If the decrypted content is separated by ‘_’, the Hash content in the first half is authenticated. Requirements must be consistent with the character distribution of the SEED.
    • The difference between the second half of ‘_’ and the current server time in milliseconds must not be greater than N x 60000. N indicates minutes.
SEED reading strategy

The backend framework tries to get the SEED value in one of two ways. If the first method is unsuccessful, the second method is tried, and if neither method is valid, an error is reported.

  1. First try accessing the configuration item web.csrf.token.seed, and if it reads a non-null value, treat it as seed.
  2. If the first approach fails, the sessionId corresponding to the current request is directly fetched as the SEED.