基于Cookie的会话的安全性 [英] Security of Cookie-based sessions

问题描述

我需要清楚说明基于Cookie的会话如何工作。我正在构建一个应用程序，其中我验证用户和成功的身份验证，我坚持GUID标识他的用户进入会话，反过来被持久化为一个cookie。现在，当用户登录时，什么可以阻止某人嗅探流量，窃取用户Cookie的内容并在自己的端创建Cookie并以该人身份登录我的网站？另一种情况可能是，如果我可以物理访问一个机器的人登录，我也可以窃取cookie的内容和冒充为用户。

解决方案

如何防止某人嗅探流量，窃取用户Cookie的内容并在自己的端创建Cookie并以该人身份登录我的网站？ p>

SSL - 停止的唯一方法是在HTTPS上运行您的网站。

一旦您拥有对机器的物理访问权限，所有的安全方法都无效。你可以不做任何事情。

I need some clarity around how cookie-based sessions work. I'm building an app where I authenticate a user and upon successful authentication, I stick a GUID identifying his user into the session, which in turn gets persisted as a cookie. Now when a user logs in, whats to prevent someone from sniffing traffic, stealing the contents of the user's cookie and creating a cookie on their own end and login to my site as that person? Another scenario could be if I had physical access to a machine where the person was logged in, I could also steal the contents of the cookie and impersonate as the user.

解决方案

Whats to prevent someone from sniffing traffic, stealing the contents of the user's cookie and creating a cookie on their own end and login to my site as that person?

SSL - the only way to stop that is to run your web site on HTTPS.

I had physical access to a machine where the person was logged in

Once you have physical access to a machine all your security methods are moot. You can do nothing about this.

这篇关于基于Cookie的会话的安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！