我如何通过简单地将cookie从计算机复制到另一个来防止会话劫持? [英] How do I prevent session hijacking by simply copy a cookie from machine to another?
问题描述
大多数Web应用程序都使用cookie来管理用户的会话,即使浏览器已关闭也允许您保持登录状态。
Most Web Applications use cookies to manage the session for a user and allow you to stay logged in even if the browser was closed.
假装我们在其中进行了所有操作
Lets pretend we did everything in the book to make sure the cookie itself is save.
- 加密内容
- 仅设置http
- 设置安全
- ssl用于连接
- 我们检查是否篡改了内容cookie
- encrypt the content
- set http only
- set secure
- ssl is used for the connection
- we check for tampering with the content of the cookie
是否可以防止具有物理访问权限的人复制该cookie并将其在另一台计算机上重复使用,从而窃取该cookie
Is it possible to prevent someone with physical access to the machine to copy the cookie and reuse it on another machine and thus stealing the session?
推荐答案
使用cookie验证会话的固有风险是:cookie是不记名令牌,任何可以提供cookie已通过身份验证。
This risk is inherent in using cookies to authenticate sessions: the cookie is a bearer token, anyone who can present the cookie is authenticated.
这就是为什么您看到其他保护措施的原因,例如:
This is why you see further protections such as:
- 在一定时间或闲置一段时间后自动注销;
- 设备指纹识别;
- 需要对关键操作进行重新认证(例如进行银行转帐或更改密码)。
- automatic log out after a certain amount of time, or period of inactivity;
- device fingerprinting;
- requiring re-authentication for critical actions (e.g. making a bank transfer or changing your password).
这篇关于我如何通过简单地将cookie从计算机复制到另一个来防止会话劫持?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
