在每次请求时发送Cookie以识别用户? [英] Send Cookie on every request to identify user?
问题描述
我已经实现了这可以照顾登录过程,还可以这个例子来保护我的服务免受XSRF攻击。
我有以下疑问:
- 如果我打开SSL,是之前发送的Cookie,建立?
- 是否保存每次请求时发送cookie以识别用户?例如。如果用户想要查看他的 / 她的设置,以确保它不是一个假的请求尝试从另一个用户检索设置。是否清楚我的意思是什么?
我将在每个请求上发送会话ID,将其与我的数据库中的会话ID进行比较,如果请求令牌(XSRF securiy)很好,我执行请求 - 或者是开销太大吗?
我仍然不太确定如果我在这里做的是100%正确,我想确保我没有不必要的
在HTTP请求发送之前建立SSL或TLS连接
我不确定我是否理解您的第二个问题,但很多网络应用程序使用基于Cookie的身份验证来识别用户。由于Cookie会自动发送到网站,因此您必须保护自己免受 CSRF 攻击。
I'm not getting my head around the whole session-management thing.
I've now implemented this to take care for the login process and also this example to protect my services from XSRF attacks.
But now that I'm having it I wonder:
- If I turn on SSL, is the cookie sent before a secure connection is built up? So is this session ID (the cookie) ever secure?
- Is it save to send the cookie on each request to identify the user? E.g. if a user wants to view his/her settings, to make sure it's not a fake request that tries to retrieve the settings from another user. Is it clear what I mean by that?
I would send the session ID on each request, compare it to the session ID in my database and if the request-token (XSRF securiy) is fine I execute the request - or is that too much overhead?
I'm still not quite confident if what I'm doing here is 100% correct and I want to make sure that I don't unnecessarily break any security measures I've spent time implementing.
SSL or TLS connections are established before the HTTP request is sent over the wire, so data in the request is encrypted.
I'm not sure I understand your second question, but a lot of web applications use cookie based authentication to identify the user. As cookies are automatically sent to the website, you have to protect yourself against CSRF attacks.
这篇关于在每次请求时发送Cookie以识别用户?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
