您是否将会话复制视为安全风险? [英] Do you consider session replication as a security risk?
问题描述
您是否认为会话复制存在安全风险?我的意思是,如果攻击者设法劫持会话,他仍然可以使用相同的有效会话,尤其是在会话直到手动注销后才过期的情况下.您会提供什么建议来防止会话复制?
Do you consider session replication as a security risk? I mean if an attacker manages to hijack the session, he would still be able to use the same valid session, especially in scenarios where the session do not expire until one manually logs out. What recommendations would you give to prevent session replication?
推荐答案
你可以有一个滚动的 Session ID - 每隔一段时间(例如在一定数量的请求或某个短时间段之后),系统就会生成一个新的 Session身份证.
You could have a rolling Session ID - every so often (e.g. after a certain number of requests or a certain short time period), the system generates a new Session ID.
为了防止由于一个资源请求导致生成新的会话 ID 导致竞争条件错误,在翻转间隔期间应接受当前和以前的会话 ID.
To prevent errors with race conditions due to one resource request causing a new Session ID to be generated, both the current and the previous Session IDs should be accepted during the rollover interval.
本质上,这将导致其中一个有效会话(攻击者或受害者的)在其浏览器中过期,因为他们使用的是旧会话 ID,并且没有收到包含新 ID 的 cookie.
In essence, this will cause one of the valid sessions (either the attacker's or the victim's) to expire within their browser as they are using the old Session ID and have not received the cookie containing a new ID.
您应该显示一条消息,内容类似于您已注销,因为您的帐户在其他地方使用.如果这恰好是攻击者的机器,那就太好了 - 您已经阻止了攻击.如果这恰好是受害者的机器,那么他们至少知道他们的会话已被破坏,并可以采取措施通知网站所有者.
You should display a message saying something along the lines of You have been logged out as your account is used elsewhere. If this happens to be the attacker's machine, then great - you have prevented an attack. If this happens to be the victim's machine at the very least they are aware that their session has been compromised and can take steps to inform the site owners.
如果您还将此与在用户登录时使帐户的所有现有会话无效结合起来,则受害者用户再次登录会将攻击者踢出去,并且攻击者将需要重新获取有效的会话 ID.这应该会显着减少攻击窗口,让系统在调查和修复会话 ID 泄漏的同时保持安全.
If you also combine this with invalidating all existing session for the account upon user login, the victim user logging in again will kick the attacker out and the attacker will need to reacquire a valid Session ID. This should reduce the attack window significantly allowing the system to remain secure while the Session ID leak is investigated and fixed.
这篇关于您是否将会话复制视为安全风险?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
