基于Cookie的会话的安全性 [英] Security of Cookie-based sessions
问题描述
我需要清楚说明基于Cookie的会话如何工作。我正在构建一个应用程序,其中我验证用户和成功的身份验证,我坚持GUID标识他的用户进入会话,反过来被持久化为一个cookie。现在,当用户登录时,什么可以阻止某人嗅探流量,窃取用户Cookie的内容并在自己的端创建Cookie并以该人身份登录我的网站?另一种情况可能是,如果我可以物理访问一个机器的人登录,我也可以窃取cookie的内容和冒充为用户。
如何防止某人嗅探流量,窃取用户Cookie的内容并在自己的端创建Cookie并以该人身份登录我的网站? p>
SSL - 停止的唯一方法是在HTTPS上运行您的网站。
一旦您拥有对机器的物理访问权限,所有的安全方法都无效。你可以不做任何事情。
I need some clarity around how cookie-based sessions work. I'm building an app where I authenticate a user and upon successful authentication, I stick a GUID identifying his user into the session, which in turn gets persisted as a cookie. Now when a user logs in, whats to prevent someone from sniffing traffic, stealing the contents of the user's cookie and creating a cookie on their own end and login to my site as that person? Another scenario could be if I had physical access to a machine where the person was logged in, I could also steal the contents of the cookie and impersonate as the user.
Whats to prevent someone from sniffing traffic, stealing the contents of the user's cookie and creating a cookie on their own end and login to my site as that person?
SSL - the only way to stop that is to run your web site on HTTPS.
I had physical access to a machine where the person was logged in
Once you have physical access to a machine all your security methods are moot. You can do nothing about this.
这篇关于基于Cookie的会话的安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!