没有cookie的安全会话管理 [英] secure session management without cookies
问题描述
几个月前,我参观了一个安全研讨会,我们讨论了使用cookie进行会话管理时的一些安全性问题。我被告知
,Cookie最初不是为处理会话而设计的。
但是那应该怎么做?
Some months ago, I visited a security workshop and we discussed some securitiy problems when using cookies for session management. I was told, that cookies originally were not designed for handling sessions. But how should it be done then?
推荐答案
一种安全的方法是生成随机的密码128位值(由CSPRNG生成的随机值),然后将其作为POST数据传递到每个页面。
A secure way to do this would be to generate a cryptographically random 128 bit value (that is a random value generated by a CSPRNG), and then pass this as POST data to each page.
例如
<form method="post" action="/globalHandler">
<input type="hidden" name="sessionId" value="<sessiontoken>" />
<input type="hidden" name="page" value="accountDetails" />
</form>
优点是会话标识符永远不需要在cookie中传输,从而减轻了SSL攻击,例如 POODLE 或 BREACH (攻击者无法注入请求,因为它们没有会话标识符)。这也固有地可以防止 CSRF 攻击。
The advantage is that the session identifier never needs to be transmitted in a cookie, mitigating SSL attacks such as POODLE or BREACH (the attacker has no way of injecting requests because they do not have the session identifier). This also inherently protects against CSRF attacks.
缺点是登录时要访问的每个页面仅需要通过POST方法访问,而在上可以进行适当的验证sessionId 参数。因此,最好是在网站初次开发时对其进行处理,而不是更改现有网站以适合这种格式。
The disadvantage is that every page that is to be accessed whilst logged in will need to be accessible via the POST method only, where the suitable validation can take place on the sessionId parameter. Therefore it is best done to a website when it is first developed, rather than altering an existing website to fit this format.
使用POST数据比GET更安全,因为使用GET,详细信息将在URL的查询字符串部分中。例如
Using POST data is more secure than GET, because with GET the details would be in the query string portion of the URL. e.g.
https://example.com?sessionId=1234...
不仅使会话标识符在用户屏幕上可见,而且引用标头也可能泄漏该标识符,并且默认情况下也会记录该标识符在浏览器历史记录,代理和服务器日志中。默认情况下,很少记录POST数据。
Not only does this make the session identifier visible on the user's screen, but it can also be leaked by the referer header, and will also be logged by default in browser history, proxy and server logs. POST data is rarely logged by default.
某些银行使用此方法来确保用户在会话期间只有一条活动路径-会话标识符可以轻松地旋转,以便如果用户沿着其他路线走,他们的标识符不匹配,因此他们将被注销。从安全的角度来看,当您必须按照设置的顺序执行多步骤过程时,这很有用。如果用户采用的路径与开发人员的预期路径不同,则可能会导致某些业务逻辑漏洞。
Some banks use this method to ensure that there is only one active path made by the user during their session - the session identifier can easily be rotated so that if a user goes down a different route, their identifier does not match and they are logged out. This is useful from a security point of view when you have a multi-step process that must be followed in a set order. Some business logic vulnerabilities can otherwise arise when a user takes a different path than that of the developers' expectations.
这篇关于没有cookie的安全会话管理的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
