Manual:Edit token/zh

编辑令牌（亦為csrf 令牌）是一个Mediawiki服务器生成的随机字符串. 客户端获得此编辑令牌后才可以编辑页面. 编辑令牌用于确保用户真的想编辑页面，而不是误点击某个外部链接而不自觉地编辑了什么页面. 另见cross-site request forgery.

注意：本頁的內容需要開發者確認

為什麼需要編輯令牌
編輯令牌用作執行更改時的額外安全措施. 如果僅使用cookie檢查用戶身份，則外部站點可以使用連結（類似以下的鏈接）來讓訪問者更改維基. http://en.wikipedia.org/w/index.php?title=Image:Abcd.jpg&action=delete&oldimage=324242234 按照這樣的鏈接操作後，將導致管理員在不知不覺中請求刪除圖像. 如果管理員仍然登錄，服務器將檢查cookie並准許請求.

For this reason, actions that perform changes require an additional piece of data that is passed as an HTTP parameter, the edit token. An edit token is embedded into web pages from which the user can request a change; this includes the edit form (where one can change a page by pressing "Save your changes") but also the image description pages (where an administrator can request deletion of an old version of an image), contributor histories (where administrators can rollback), etc.

When the user actually requests the change to be done (by pressing a button or following a link), the edit token is sent back to the server. This proves to the server that the user has requested the change directly from the site and not from an external site, as external sites do not have access to the edit token of the user.

工作原理
An edit token is a random string stored in the PHP session, which is an associative array that is stored in the server and maintained across sessions because of a cookie (e.g.,  on the English Wikipedia). The edit token is in particular contained in the  element of the PHP session.

Edit tokens are embedded into web pages from where the user can request a change. When such a page is to be generated, the edit token is retrieved from the  element of the PHP session, if such an element exists; otherwise, a random string is generated and stored in that element.

What is actually embedded into the web page is not the  element itself. Rather, this element is concatenated to the salt, which is a string that depends on the particular action and page; the resulting string is then MD5-hashed; this is what is embedded in the web page. When the user actually requests the action, this string is sent back to the server via an HTTP parameter. The server can then check the correctness of this parameter: it repeats the procedure used to generate it from the PHP session and checks if the result is equal to the parameter.

過期
服務器返回的編輯令牌可以多次重複使用，以進行不同的編輯操作. 令牌僅在特定時間段內有效. 帶有過時令牌的「API調用」將返回「badtoken」的錯誤； 在這種情況下，必須在重試操作之前，從服務器獲取新的編輯令牌.

源代碼
Edit tokens are mainly dealt with in the User.php source file, and in particular by the following methods.
 * getEditToken(salt) : returns the MD5 hash of the concatenation of the  element of the PHP session with the salt; if such an element does not exist in the PHP session, a random one is generated; See getEditToken function in repository.
 * matchEditToken(token, salt) : checks whether its first argument is a valid edit token with respect to the salt; this is done by repeating the procedure of generation and then comparing the result with the first argument; in particular, this function calls  and then compares the result with the first argument;

Salt
The default salt is the empty string; most actions use this default value. As a result, an edit token string received from a server to perform an initial action on a page can also be used to perform additional actions on other pages. However, since an edit token is stored in the PHP session, it can be used only as long as the session is kept in the server and the client has the corresponding session token cookie (e.g., the enwiki_session cookie).

An edit-token-hash generated using a salt can be used for performing additional actions only if the salt used by both server and client is the same. Therefore it follows that if the salt is only embedded in the page where the initial action is performed, then that same edit-token-hash cannot be used to enable actions on additional pages.


 * Actions not using the default empty salt are:


 * rollback : the salt is the title of the article (including the namespace prefix) concatenated with the name of the user whose edits are to be reverted;
 * delete the old version of an image : the salt is the  parameter (when deleting all version this parameter is the empty string, which is also the default salt);
 * Special:UserRights : the salt is the username of the user whose properties are to be changed;
 * Special:Watchlist/clear : the salt is the string 'clearwatchlist'

編輯令牌後綴
Since revision 18112, a trailing backslash has been added to edit tokens, and edit tokens made of a single backslash introduced for anonymous users. This change has been done to prevent broken proxies from editing: proxies that cannot correctly handle the backslash typically also mess up the wiki markup code. This suffix has been changed to  in r23287 to also catch broken proxies which mangle the '+' character.

檢索客戶端
在1.18及其更高版本中，您不需要使用「AJAX」檢索編輯令牌. 它已提供型號「 」的令牌. 但請注意，您需要將「mediawiki.user」作為模塊的「ResourceLoader」依賴項. 建議您使用「 」幫助程序的方法，該方法會在「加載網頁後令牌已過期」時，自動重試並處理.