如何保护Web应用程序免受Cookie窃取攻击? [英] How to protect web application from cookie stealing attack?

问题描述

我的Web应用程序的身份验证机制目前非常简单.

My web application's authentication mechanism currently is quite simple.

用户登录后，网站会发回一个会话cookie，该会话cookie(使用localStorage)存储在用户的浏览器中.

When a user logs in, the website sends back a session cookie which is stored (using localStorage) on the user's browser.

但是，此cookie可能很容易被盗并用于从另一台计算机重播会话.我注意到其他网站(例如Gmail)具有更强大的机制，可以确保仅复制Cookie不会允许您访问该会话.

However, this cookie can too easily be stolen and used to replay the session from another machine. I notice that other sites, like Gmail for example, have much stronger mechanisms in place to ensure that just copying a cookie won't allow you access to that session.

这些机制是什么?小公司或单一开发人员也可以使用它们吗?

What are these mechanisms and are there ways for small companies or single developers to use them as well?

推荐答案

我们遇到了类似的问题.您如何安全地存储客户端数据?

We ran into a similar issue. How do you store client-side data securely?

我们最终使用了 HttpOnly cookie，其中包含一个UUID和一个附加副本UUID的值(存储在localStorage中).每个请求，用户都必须将UUID和cookie发送回服务器，服务器将验证UUID是否匹配.我认为这是 OWASP的双重提交Cookie 的工作方式

We ended up going with HttpOnly cookie that contains a UUID and an additional copy of that UUID (stored in localStorage). Every request, the user has to send both the UUID and the cookie back to the server, and the server will verify that the UUID match. I think this is how OWASP's double submit cookie works.

本质上，攻击者需要访问cookie和localStorage.

Essentially, the attacker needs to access the cookie and localStorage.

这篇关于如何保护Web应用程序免受Cookie窃取攻击?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！