HTTP cookie 端口是特定的吗? [英] Are HTTP cookies port specific?
问题描述
我在一台机器上运行了两个 HTTP 服务.我只想知道他们是否共享了他们的 cookie 或者浏览器是否区分了两个服务器套接字.
当前的 cookie 规范是 RFC6265,取代了 RFC 2109 和 RFC 2965(这两个 RFC 现在都被标记为历史")并规范了 cookie 实际使用的语法.它明确指出:
<块引用>- 简介
...
由于历史原因,cookie 包含许多安全和隐私缺陷.例如,服务器可以指示给定的 cookie 是用于安全"的.连接,但 Secure 属性在主动网络攻击者存在时不提供完整性.同样,给定主机的 cookie 会在该主机上的所有端口之间共享,即使通常的同源策略"不适用.网络浏览器使用的隔离通过不同端口检索的内容.
还有:
<块引用>8.5.弱保密性
Cookie 不提供端口隔离.如果 cookie 可由运行在一个端口上的服务读取,则该 cookie 也可由运行在同一服务器的另一个端口上的服务读取.如果 cookie 可由一个端口上的服务写入,则该 cookie 也可由同一服务器的另一个端口上运行的服务写入.为此,服务器不应该在同一主机的不同端口上运行互不信任的服务,并使用 cookie 来存储安全敏感信息.
I have two HTTP services running on one machine. I just want to know if they share their cookies or whether the browser distinguishes between the two server sockets.
The current cookie specification is RFC 6265, which replaces RFC 2109 and RFC 2965 (both RFCs are now marked as "Historic") and formalizes the syntax for real-world usages of cookies. It clearly states:
- Introduction
...
For historical reasons, cookies contain a number of security and privacy infelicities. For example, a server can indicate that a given cookie is intended for "secure" connections, but the Secure attribute does not provide integrity in the presence of an active network attacker. Similarly, cookies for a given host are shared across all the ports on that host, even though the usual "same-origin policy" used by web browsers isolates content retrieved via different ports.
And also:
8.5. Weak Confidentiality
Cookies do not provide isolation by port. If a cookie is readable by a service running on one port, the cookie is also readable by a service running on another port of the same server. If a cookie is writable by a service on one port, the cookie is also writable by a service running on another port of the same server. For this reason, servers SHOULD NOT both run mutually distrusting services on different ports of the same host and use cookies to store security sensitive information.
这篇关于HTTP cookie 端口是特定的吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
