登录/会话cookie，Ajax和安全 [英] Login/session cookies, Ajax and security

问题描述

我试图确定一个基于AJAX的登录表单最安全的方法进行验证，并设置一个客户端的cookie。我已经看到了关于XSS攻击像这样的事情：

<一个href="http://stackoverflow.com/questions/27972/are-httponly-cookies-a-viable-option-for-an-ajax-website">http://stackoverflow.com/questions/27972/are-httponly-cookies-a-viable-option-for-an-ajax-website

和

<一个href="http://www.codinghorror.com/blog/archives/001167.html">http://www.codinghorror.com/blog/archives/001167.html

所以，我想我的核心问题是...

1）采用纯Ajax来设置cookies的安全，如果是这样，什么是最安全的方法（仅Http + SSL +加密的值，等等）？

2）是否纯AJAX方法包括设置cookie客户端？这是在所有的安全吗？

3）是设置cookie这样可靠跨所有主流浏览器/操作系统？

4）会使用一个隐藏的iframe是任何更安全（调用网页设置的cookie）？

5）如果可能的话，没有任何人有code本（PHP是我后端）？

我的目标是要设置的cookie，并让他们提供给服务器的下一个呼叫，而不从页面导航离开。

我真的想明确的共识，最安全的方式做到这一点。最终，这code计划进行开源，所以请没有商业code（或没有什么会经不住公众监督）

谢谢， -Todd

解决方案

1. 该Cookie需要生成服务器端，因为会话的客户端结合到服务器，并且因此令牌交换必须从服务器到客户端在某些阶段。它不会真的是有用的生成cookie的客户端，因为客户端的是的不受信任的远程计算机。

   这是可能的AJAX调用过程中有Cookie组。到服务器（和网络）AJAX调用是一个简单的HTTP调用，并通过服务器的任何HTTP响应可以设置cookie。所以，是能够发起会话响应于AJAX调用，和cookie将被客户端正常存储

   所以，你可以使用AJAX做记录过程中相同的是，你可以只依靠一个POST从页面上的表单。服务器将看到它们以相同的方式，并且如果服务器设置一个cookie浏览器将存储它。

   基本上，客户端Javascript永不需要能够知道cookie的值（它是出于安全更好，如果没有，它能够实现使用由最近的浏览器授予了仅Http曲奇分机） 。注意从客户端进一步HTTP调用服务器，无论是正常的页面请求或他们是AJAX请求，将自动包括该cookie，即使它标志着仅Http和浏览器荣誉该扩展名。您的脚本并不需要知道的cookie。

   您提到了使用HTTPS（SSL上的HTTP） - 从能够读出在运输过程中的信息或冒充服务器prevents别人，所以这是非常方便的密码或其他重要的preventing明文传输信息。它也可以帮助防范基于网络的攻击，但它不会使你免疫一切CSRF可以抛出你，它根本不保护您免受会话固定或XSS喜欢。所以，我会避免HTTPS的思想作为一个修复，所有如果你使用它：你的还是的需要警惕跨站点脚本和跨站请求伪造

。

2. （见1我之类的组合它们）

3. 由于该Cookie是由它的HTTP响应头的服务器设置，是的，它是可靠的。然而，为了使跨浏览器兼容，你仍然需要确保记录的是可能的，当AJAX不可用。这可能需要执行该被视为仅当没有Javascript或如果AJAX是不可替代。 （注：现在在2014年，你不必担心对AJAX的浏览器支持了的）

4. 这不会更改安全。就没有必要吧，只是我已经看到过使用模拟AJAX之前隐藏的内置页框 - 即让asyncronous调用服务器。基本上，无论你做的也没关系，它的服务器设置cookie，客户端将接受并返回其是否是通过AJAX与否的cookie。

在大多数情况下，不管你使用AJAX与否不影响安全的所有的东西，因为所有的真正的安全发生在服务器端，以及服务器的AJAX调用就像非AJAX调用：不被信任。因此，你需要知道的问题，如会话固定和的登录CSRF 与影响会议的整体像的 CSRF 和 XSS 丝毫不亚于你，如果你不使用AJAX。使用AJAX除非，这些问题并没有真正改变，除非，我想，你可以用技术，使更多的错误，如果你不熟悉它，或者它更复杂。

答更新2014年9月的

I'm trying to determine the most secure method for an ajax based login form to authenticate and set a client side cookie. I've seen things about XSS attacks such as this:

http://stackoverflow.com/questions/27972/are-httponly-cookies-a-viable-option-for-an-ajax-website

and

http://www.codinghorror.com/blog/archives/001167.html

So, I guess my core questions are...

1) Is using pure ajax to set cookies secure, if so, what is the most secure method (httpOnly + SSL + encrypted values, etc.)?

2) Does a pure ajax method involve setting the cookie client side? Is this at all secure?

3) Is setting cookies this way reliable across all major browsers/OSs?

4) Would using a hidden IFrame be any more secure (calling a web page to set the cookies)?

5) If possible, does anybody have code for this (PHP is my backend)?

My goal is to set the cookies and have them available for the next call to the server without navigating away from the page.

I really want to nail down the consensus, most secure way to do this. Eventually, this code is planned to be made Open Source, so please no commercial code (or nothing that wouldn't stand up to public scrutiny)

Thanks, -Todd

解决方案

1. The cookie needs to be generated server-side because the session binds the client to the server, and therefore the token exchange must go from server to client at some stage. It would not really be useful to generate the cookie client-side, because the client is the untrusted remote machine.

   It is possible to have the cookie set during an AJAX call. To the server (and the network) an AJAX call is simply an HTTP call, and any HTTP response by the server can set a cookie. So yes, it is possible to initiate a session in response to an AJAX call, and the cookie will be stored by the client as normal.

   So, you can use AJAX to do the logging in process in the same was as you could have just relied on a POST from a form on the page. The server will see them the same way, and if the server sets a cookie the browser will store it.

   Basically, client-side Javascript never needs to be able to know the value of the cookie (and it is better for security if it doesn't, which can be achieved using the "httponly" cookie extension honored by recent browsers). Note that further HTTP calls from the client to the server, whether they are normal page requests or they are AJAX requests, will include that cookie automatically, even if it's marked httponly and the browser honors that extension. Your script does not need to be 'aware' of the cookie.

   You mentioned using HTTPS (HTTP over SSL) - that prevents others from being able to read information in transit or impersonate the server, so it's very handy for preventing plain text transmission of the password or other important information. It can also help guard against network based attacks, though it does not make you immune to everything that CSRF can throw you, and it does not at all protect you against the likes of session fixation or XSS. So I would avoid thinking of HTTPS as a fix-all if you use it: you still need to be vigilant about cross-site scripting and cross-site request forgery.

2. (see 1. I sort of combined them)

3. Given that the cookie is set by the server in its HTTP response headers, yes it is reliable. However, to make it cross-browser compatible you still need to ensure logging in is possible when AJAX is unavailable. This may require implementing an alternative that is seen only when there is no Javascript or if AJAX isn't available. (Note: now in 2014, you don't need to worry about browser support for AJAX anymore).

4. It would not change the security. There would be no need for it, except that I have seen hidden iframes used before to 'simulate' AJAX before - ie make asyncronous calls to the server. Basically, however you do it doesn't matter, it's the server setting the cookie, and the client will accept and return the cookie whether it does it by AJAX or not.

For the most part, whether you use AJAX or not does not affect the security all that much as all the real security happens on the server side, and to the server an AJAX call is just like a non-AJAX call: not to be trusted. Therefore you'll need to be aware of issues such as session fixation and login CSRF as well as issues affecting the session as a whole like CSRF and XSS just as much as you would if you were using no AJAX. The issues don't really change when using AJAX except, except, I guess, that you may make more mistakes with a technology if you're less familiar with it or it's more complicated.

Answer updated September 2014

这篇关于登录/会话cookie，Ajax和安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！