如何安全地存储会话ID [英] How to store Session ID securely
问题描述
我是一名学习密码学的学生.在网上搜索后,我仍然找不到我的问题的答案.我想知道如何为电子商务网站安全地存储会话ID.如果可能,怎么办?请务必用Layman的术语进行解释.期待您的帮助.
I am a student learning about cryptography. After searching online, I am still unable to find an answer to my question. I am wondering how to store a session ID securely for an ecommerce website. If it is possible, how so? Please do explain it in Layman's term. Looking forward to your helpful answers.
欢呼
推荐答案
会话ID通常只是在客户端和服务器之间传递的随机(不透明)标识符.服务器使用标识符在数据库中查找状态信息(例如当前购物车内容).
Session IDs are usually just a random (opaque) identifier that is passed between the client and the server. The server uses the identifier to look up state information (e.g. current cart content) in the database.
实际上,您必须相信客户端会保护会话ID,因为一旦将其发送给他们,它将成为静态令牌-没有任何加密技术可以解决任何人都可以呈现会话的事实id,然后假装成为用户.
As a practical matter, you have to trust that the client will protect the session id, as once you send it to them, it becomes a static token -- no amount of cryptography can fix the fact that anyone can present a session id and then pretend to be the user.
您可以采取一些措施来缓解问题:
There are some things that you can do to mitigate issues:
-
确保您使用的是足够安全"的随机生成器来构建令牌
ensure you are using a "secure enough" random generator to build the token
确保令牌的传输尽可能安全,以防止窃听或客户端盗窃(例如,使用SSL,httponly和安全cookie标志)
make sure the transmission of the token is as secure as possible against eavesdropping or client-side theft (e.g. use SSL, httponly and secure cookie flags)
为令牌提供合理的超时时间,并要求用户使用例如刷新令牌或重新登录.
Give the token a reasonable timeout, and require the user to request a new token periodically using e.g. a refresh token or re-login.
如何进行实际工作已经引起了很多思考-请查看OAuth2/OpenID Connect协议.
A lot of thought has gone in to how this can work practically - have a look at the OAuth2 / OpenID Connect protocols.
这篇关于如何安全地存储会话ID的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
