登录后重新生成会话ID是一种好习惯吗? [英] Is regenerating the session id after login a good practice?

问题描述

我想知道成功登录后重新生成会话ID是否真的是一种好习惯，而不仅是一种冒昧的行为.

I'm wondering if regenerating the session id after a successful login really a good practice and not just sort of a cargo cult behavior.

如果我正确地理解了该理论，那么它应该可以防止会话劫持(或者至少使其更难)，但是我真的看不到有人可以窃取登录前会话，这会阻止网络钓鱼者再次使用再生了.

If I understand the theory correctly it should prevent session hijacking (or at least make it harder), but I can't really see that if someone could steal the pre-login session what would stop the phisher doing it again with the regenerated one.

我不专注于Spring(目前甚至不使用Java)，我对正反感兴趣.

I'm not focusing on Spring (I don't even use Java currently), I'm interested in the pros and cons.

推荐答案

当登录前为http且登录后为https时，将重新生成以防止会话劫持.这就是阻止攻击者使用重新生成的副本再次进行的原因.

You regenerate to prevent session hijacking when the pre-login is http and the post-login is https. That is what stops the attacker doing it again with the regenerated one.

假设您靠近受害者，或者在某处的路径中，或者被钓鱼等，窃取http会话的会话标识符相对容易-如果该会话标识符在加密会话中也可行，则可以攻击者的工作很轻松.

It is relatively easy to steal a session identifier for an http session, assuming you are near the victim, or in the path somewhere, or have phished etc - and if this session identifier is also viable in the encrypted session it can make the attacker's job quite easy.

这篇关于登录后重新生成会话ID是一种好习惯吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！