Django-sessionid cookie-这是安全性失败吗? [英] Django - sessionid cookie - Is this a security failure?
问题描述
要查看此可能的错误,您需要打开两个浏览器和一些插件来获取/设置cookie。
如果在django中创建新项目1.7并访问管理站点( / admin
),并在第一个Broser中成功登录,并获得 sessionid
和 csrftoken
cookie并将它们设置到第二个浏览器登录页面,并设置随机用户和密码,您将获得CSRF错误,并且如果您返回浏览器,则已登录。
如何避免这种情况?
我想,您可以通过将sessionid cookie复制到另一个浏览器并导航 / admin
即可获得相同的结果。您不需要 csrftoken
即可重现此问题。这就是所谓的sessionid窃取,我所知道的所有框架都容易受到这种类型的攻击。</ p>
为避免这种情况,请设置 SESSION_COOKIE_SECURE = True(默认为False)以保护您的sessionid cookie免受中间人攻击。您还需要在生产服务器上安装ssl证书。然后将其配置为将所有 http://
请求重定向到 https://
。 https中的 S 代表 secure ,这意味着客户端和服务器之间的所有流量都经过加密,客户端和服务器之间(客户端的ISP,服务器的托管提供程序,代理等)之间没有任何通信。 )可以读取发送的任何数据。包括会话Cookie的值。
并使用 SESSION_COOKIE_HTTPONLY = True(默认),以防止会话cookie通过 XSS 。 HTTPONLY表示此Cookie将与每个http请求一起发送,但无法通过javascript从客户端浏览器访问。因此,如果某些恶意软件javascript设法在客户端浏览器中运行,则无论如何它都无法访问会话cookie。
可以在此处找到有关配置安全django服务器的良好教程:< a href = https://security.stackexchange.com/a/8970> https://security.stackexchange.com/a/8970
In order to see this possible error you need to open two browsers and some plug-in to get/set cookies.
If you create a new project in django 1.7 and access to the admin site (/admin
), and login succesfuly in the first broser and get the sessionid
and csrftoken
cookies and set them into the second browser login page and set a random user and password, you obtain a CSRF error and if you go back in the browser you are logged in.
how can avoid this?
I suppose, you can obtain same result just by copying sessionid cookie to another browser and navigating /admin
. You don't need csrftoken
to reproduce this issue. It's called sessionid stealing and all frameworks I know are vulnerable to this type of attack.
To avoid it, set SESSION_COOKIE_SECURE = True (default False) to protect your sessionid cookie from man-in-the-middle attacks. You will also need to install ssl certificate on your production server. Then configure it to redirect all http://
requests to https://
. S in https stands for secure, this means all traffic between client and server is encrypted, and no one between client and server (client's ISP, server's hosting provider, proxies, etc) can read any data is sent. Including session cookie value.
And use SESSION_COOKIE_HTTPONLY = True (default) to protect session cookie from stealing via XSS. HTTPONLY means that this cookie will be sent with each http request, but won't be accessible from client's browser via javascript. So if some malware javascript managed to run in client browser, it will not have access to session cookie anyways.
Good tutorial on configuring secure django server can be found here: https://security.stackexchange.com/a/8970
这篇关于Django-sessionid cookie-这是安全性失败吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!