用户可以使用现有cookie值登录站点 [英] User able to login into the site with existing cookie values

问题描述

用户登出后可以使用偷来的cookie登录网站



我尝试过：



用户登出后可以使用偷来的cookie登录网站

Response.cookies.clear（）

user able to login into the site with stolen cookies after logout

What I have tried:

user able to login into the site with stolen cookies after logout
Response.cookies.clear()

推荐答案

确保您的网站仅通过HTTPS提供。 （您几乎可以肯定使用来自让我们加密的免费证书[ ^ ]。）



确保所有身份验证Cookie都具有安全和仅HTTP标志设置。如果可能，请设置 SameSite标志 [ ^ ]。



现在你的cookies不能被盗除非您的服务器或用户的计算机受到严重损害（在这种情况下，您需要担心更大的问题）。

Make sure your site is only ever served over HTTPS. (You can almost certainly use a free certificate from Let's Encrypt[^].)

Make sure all of your authentication cookies have both the "Secure" and "HTTP Only" flags set. If possible, set the SameSite flag[^] as well.

Now your cookies can't be stolen unless either your server or the user's computer has been seriously compromised (in which case, you have bigger problems to worry about).

不要直接使用用户或者在cookie中登录信息。



您可以使用几种方法。您可以使用SessionID加密信息，并在注销时执行 Session.Clear（）命令以重置SessionID，从而中断解密/验证过程。



另一种方法是在登录时分配一个唯一的令牌并将其保留在Session中或将其保存到数据库中;然后验证针对该会话或数据库发回的内容。注销时删除该令牌或使其过期。

Don't directly use user or login information within the cookie.

There are a few methods you could use. You could encrypt the information with the SessionID, and upon logout do a Session.Clear() command to reset the SessionID and therefore break the decryption/validation process.

Another alternative would be to assign a unique "token" on login and retain that within Session or persist it to the database; and then validate what is sent back against that session or db. Upon logout you delete that "token" or expire it.

您无法阻止此操作，解决方案是首先阻止cookie被盗。



您可以向cookie添加随机ID，并将该ID存储在数据库中的用户身上，当该用户注销时，您可以清除该值，并在他们登录时生成一个新的ID。这样，如果cookie被盗，他们将拥有错误的ID，但如果在ID仍然有效时cookie被盗，那么该解决方案将无济于事。实施这些操作通常会导致用户将帐户锁定，因为他们将浏览器闲置而不是退出。

There's not much you can do to stop this, the solution is to stop the cookies being stolen in the first place.

You can add a random ID to the cookie and store that ID against the user in the database, and when that user logs out you can clear the value, and when they log in generate a new ID. That way if the cookies are stolen they'll have the wrong ID, but if the cookies are stolen while the ID is still valid then that solution won't help. Implementing these things often results in your users having their accounts locked out because they left their browser idle rather than logging out.

这篇关于用户可以使用现有cookie值登录站点的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！