在没有 SSL 的情况下防止会话 cookie 劫持 [英] Prevent session cookie hijacking WITHOUT SSL
问题描述
为了防止会话劫持,我尝试根据以下变量为每个用户分配一个特定的 cookie 名称:User-agent 和 IP 地址.
我使用以下函数生成会话 cookie 名称,其中包含 会话 ID.
I have used following function to generate session cookie name which holds session ID.
static function getSessionName(){
$id= @md5(base64_encode(self::$secretToken.$_SERVER["HTTP_USER_AGENT"].$_SERVER["REMOTE_ADDR"]));
while(is_numeric($id{0})){
$id = substr($id, 1).$id{0};
}
return $id;
}
这意味着每个访问我网站的用户都会有一个不同的会话 cookie 名称.它将阻止劫持者使用其他人的 cookie,除非他/她将他/她的用户代理更改为受害者的用户代理;并试图以某种方式使用受害者的 IP 地址出现在网上,例如使用用户的互联网调制解调器、路由器、NAT 等.
It means that every user which visits my website, will have a different session cookie name. It will block hijacker from using cookies of somebody else, unless he/she changes his/her user agent to victim's user-agent; and tries to appear online using victim's IP address somehow, like using user's internet modem, router, NAT, etc.
让我用一个例子来解释它.因此,如果两个用户使用相同的浏览器并从相同的 IP 地址连接,他们将获得相同的 cookie 名称(假设 f5e30acc605e938b097dee73c0272470).
Let me explain it using a example. So, if two users use same browser and connect from same IP address, they get same cookie names (assume f5e30acc605e938b097dee73c0272470).
现在,脚本将在这两个客户端上名为 f5e30acc605e938b097dee73c0272470 的 cookie 中查找会话 ID.在这种情况下,其中一个客户端可以劫持其他客户端的 cookie.相同的 IP、相同的 User-Agent 和相同的 cookie 名称!
Now, the script will look for session ID inside a cookie named f5e30acc605e938b097dee73c0272470 on these two clients. In this condition, one of the clients can hijack other's cookie. Same IP, same User-Agent and then same cookie name!
这种方法很好,但不是很安全.更改用户代理并不难,如果受害者和劫持者从 Coffenets、公共热点等公共网络连接,他们可能拥有相同的 IP 地址.
This method is good but not quite secure. Changing user-agent is not so difficult to do, and victim and hijacker may have equal IP addresses if they connect from public networks like Coffenets, Public hotspots, etc.
阻止攻击者这样做很重要,特别是如果我们使用还记得我吗?"选项来生成持久的会话 cookie.
It's important to deny the attacker from doing so, especially if we use a "Remember Me?" option to generate long-lasting session cookies.
有人对这个问题有什么建议吗?
Does anybody have a suggestion about this problem?
据我研究,其中一种解决方案是使用 SSL 和安全 cookie.但是,我正在寻找不使用 SSL 的解决方案.
As i researched, one of the solutions was using SSL and secure cookies. But, i'm looking for a solution without SSL usage.
推荐答案
如果您的 senario 基于
If you are basing your senario on the assumption that
1) 攻击者可以拥有相同的IP地址和2) 攻击者可以假装拥有相同的用户代理,因为他们可以访问通过网络传输的任何信息
1) The attacker can have the same ip address and 2) The attacker can pretend to have the same user agent as they have access to any information transmitted over the net
那么您就无法验证此 cookie 的身份.这是因为您在假设中假设所有这些信息都是可用的.
Then there is no possible way for you to verify the identity of this cookie. This is because you have assumed in your assumptions that all this information is available.
您有两种解决方案:a) 使用 SSLb) 相信您的用户不会与攻击者在同一家咖啡店,IP 地址是有效的,并且您的站点还不够重要,不值得进行大规模攻击.他们还能做什么 - 发布攻击性帖子和垃圾邮件?无论如何,他们都可以使用自己的帐户做到这一点.
You have two solutions: a) use SSL b) Trust that your users won't be in the same coffee shop as an attacker, that the IP address is valid, and that your site is not yet important enough to deserve a large scale attack. What can they do yet - make offensive posts and spam? They could do that anyway with their own accounts.
根据我的经验和我所阅读的内容,我同意过早优化是[编程的最大弊端之一]"的说法.将您的时间集中在构建一个对人们有用且有用的站点上,然后,如果出现问题,请考虑获取 SSL 证书.您只是没有钱购买证书,也没有钱,因为您的网站还没有成功(所以先做).
From my experience and from what I have read, I agree with the statement that "premature optimization is [one of the greatest evils of programming]". Focus your time on building a site that works and is useful for people and then, if something start to go wrong, think about getting an SSL certificate. You just don't have the money for the certificate and you don't have the money because your site has not yet been successful (so do that first).
过早优化"和偏执的安全措施对程序员来说是一种诱惑,因为我们喜欢认为自己在[尚未]从事大规模、非常重要的项目.
"Premature Optimization" and paranoid security measures are temptations for programmers because we like to think of ourselves as working on large-scale, very important projects when we are not [yet].
这篇关于在没有 SSL 的情况下防止会话 cookie 劫持的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
