Cookie安全 [英] Cookie Security
问题描述
我有一个关于cookie安全性的快速问题,我想在实现它之前就想由stackoverflow社区来运行它.这将是我第一次在网站上实现用户登录,我想对安全性非常谨慎-不必担心帐户会被盗用.
I had a quick question about cookie security that I wanted to run by the stackoverflow community before I got too far into implementing it. This will be my first time implementing user sign-in on a site and I wanted to be extremely cautious about security so-as not to have to worry about accounts being compromised down the line.
这是我假设的安全解决方案:
Here's my hypothetical security solution:
- 用户注册网站(通过电子邮件注册,使用Facebook登录等),并被分配一个用户ID号.此号码是公开的,可用于访问用户的个人资料,在帖子中引用他们,等等.
- 注册时,还会为用户分配一个随机生成的ROWID,因为其信息存储在数据库中(托管在Google Fusion Tables中).该ROWID号对用户隐藏,并且永远不会泄露.
- 已根据ROWID号对用户ID进行加密,并且此数字存储在用户计算机上的cookie中.它永远不会对其他用户可见,并且从理论上讲,只能由该用户查看.
此解决方案将允许使用秘密"密钥(ROWID号),消费者"密钥(保存在cookie中)和公共引用ID(用户ID).当然,所有这些都汇总到一个数据库中,站点可以在该数据库中快速访问它们.这听起来像是可以提供适当级别的安全性的计划,还是我应该考虑的其他事项?
This solution would allow for a "secret" key (the ROWID number), a "consumer" key (saved in the cookie), and a public reference ID (the User ID). All of these are, of course, rolled up into a database where the site can quickly access them. Does this sound like a plan that would provide the proper level of security or is there something else that I should consider?
推荐答案
要获得通过XSS之类的防止cookie盗窃的额外保护,您可能需要考虑为每个IP地址颁发唯一的cookie,然后确保这些cookie仅可使用.从该IP地址. 如果您要将Cookie存储在数据库中,则事情可能会变得复杂,因为现在您有多个Cookie映射到同一用户.
For additional protection against cookie theft through something like XSS, you might want to consider issuing unique cookies per IP address, and then making sure that the cookies are only useable from that IP address. If you're storing your cookies in the database, things can get complicated, as you now have multiple cookies mapping to the same user.
这是避免这些问题的方法:
Here's how to avoid those problems:
Set-Cookie: userName=Alice; authCode=eeba95a4...
其中:authCode = HMAC (ROWID,用户名+ ipAddr)
Where: authCode=HMAC(ROWID, userName + ipAddr)
收到此cookie时,请使用请求的ROWID和ip地址在数据库中查找用户,重新计算/验证cookie中的authCode.无需在数据库中存储cookie.
When you receive this cookie, look up the user in the database, recompute/verify the authCode in the cookie, using ROWID and ip address of the request. No need to store cookies in the database.
要获得额外的加密点,请将 salt 参数放入混合:
For extra crypto points, throw a salt parameter into the mix:
Set-Cookie: userName=Alice; salt=59843...; authCode=eeba9...
其中:authCode = HMAC(ROWID,用户名+ ipAddr +盐)
Where: authCode=HMAC(ROWID, userName + ipAddr + salt)
盐值是针对您生成的每个Cookie随机生成的.无需保密.
Salt value is generated randomly for every cookie you produce. There's no need to keep it a secret.
这篇关于Cookie安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
