Rails 4加密Cookie重放攻击 [英] Rails 4 Encrypted Cookie Replay Attack

问题描述

我最近升级到Rails 4，并将加密的Cookie切换为会话存储。不幸的是，这似乎意味着重放攻击是可能的，即如果用户注销，任何cookie不会无效，并且可以用于认证没有用户/通过。据我所知，这是一个缺陷，如何加密的cookie工作（如果我错了请指教我！），所以我的问题是：是否有一个接受的解决方案，防止使用加密的Cookie的重放攻击？

I upgraded to Rails 4 recently and switched to encrypted cookies as session storage. Unfortunately this seems to mean that replay attacks are possible, i.e. if a user logs out, any cookies are not invalidated and can be used to authenticate without user/pass. As far as I can tell this is a flaw in how encrypted cookies work (if i'm wrong please enlighten me!), so my question is: is there an accepted solution to preventing replay attacks using encrypted cookies?

推荐答案

经过一些研究和一些修补，我想出了以下解决方案。

After some research and some tinkering, I have come up with the following solution.

• 当用户登录时，创建一个随机秘密（随机的随机秘密应该具有低匹配概率）




• 在请求需要验证的页面时，请阅读


• 在注销时，从缓存中删除密码，因此任何使用相同Cookie的后续请求都会失效。

• When user logs in, create a random secret (random in the sense that subsequent secrets should have a low probability of matching)
• Store that secret in the session, i.e. in the cookie, as well as server side, I'm using the Dalli gem to provide memcached functionality
• On a request for a page that requires authentication, read the secret from the cookie, and make sure it exists server side
• On logout, delete secret from cache, so any subsequent requests using the same cookies will be invalidated

只要Cookie不能被篡改，那么这应该是安全的。欢迎任何想法/评论

As long as the cookies cannot be tampered with, then this should be secure. Any thoughts/comments are welcome

这篇关于Rails 4加密Cookie重放攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！