通过SSL传递时的Cookie安全性 [英] Cookie security when passed over SSL

问题描述

我是正确的，如果您通过SSL加密请求传递会话cookie，则该cookie只能由直接访问已发送cookie的计算机或具有该cookie的服务器的攻击者读取。

Am I correct in thinking that if you pass a session cookie over an SSL encrypted request that the cookie could only be read by an attacker who had direct access to the computer that the cookie had been sent to, or the server it has been sent from, provided they are unable to crack the encryption?

推荐答案

SSL会加密所有流量，包括标头（包含标头） Cookie值）。

SSL encrypts all traffic, including the header (which contains the cookie value).

另一方面，除非您将其标记为HttpOnly，否则可以通过客户端计算机上的Javascript访问Cookie。黑客可能会通过XSS攻击使此脚本运行。

On the other hand, the cookie can be accessed via Javascript on the client machine, unless you have marked it as HttpOnly. A hacker could potentially get this script to run via an XSS attack.

此外，还有一些方法可以通过精心设计的电子邮件或网页劫持cookie。

In addition, there are ways to hijack the cookie with a carefully crafted email or web page. This is known as session riding or CSRF.

最后，对于超出SSL终止点的任何网络连接，例如在网络中，cookie都是可见的。如果您的数据中心使用SSL卸载和/或深度数据包检查。

Finally, cookies are visible on the wire for any network connection beyond the point of SSL termination, e.g. if you data center uses SSL offloading and/or deep packet inspection.

哦，还有一件事。如果SSL配置不正确，很容易受到MITM攻击，例如您的服务器配置为接受空协议。在这种情况下，黑客当然可以当天读取Cookie。

Oh, and one more thing. If SSL isn't configured correctly it is easily vulnerable to MITM attack, e.g. your server is configured to accept a null protocol. In this case a hacker can of course read the cookie plain as day.

我认为就是这样。那应该足以让你彻夜难眠。

I think that's it. That should be enough to keep you up at night.

这篇关于通过SSL传递时的Cookie安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！