在herokuapp.com上的Heroku应用程序中cookie安全吗? [英] Are cookies safe in a Heroku app on herokuapp.com?
问题描述
我正在开发一个应用程序,并将其部署在Heroku上.该应用程序仅在另一个网站上的 iframe 中使用,因此我不在乎域名.我计划在 example.herokuapp.com 上部署我的应用程序,而不是在 example.com 上使用自定义域.
I am developing an app, which I will deploy on Heroku. The app is only used within an iframe on another site, so I don't care about the domain name. I plan to deploy my app on example.herokuapp.com instead of using a custom domain on example.com.
我的应用使用Cookie,并且我想确保其他人无法操纵我的Cookie来保护我的应用免受会话固定和类似的攻击.如果 attacker.herokuapp.com 能够为 herokuapp.com 设置cookie,则浏览器将无法保护我,因为 herokuapp.com 不是公共后缀.参见 http://w2spconf.com/2011/papers/session-integrity.pdf对该问题进行详细说明.
My app uses cookies, and I want to be sure that others cannot manipulate my cookies to protect my app against session fixation and similar attacks. If attacker.herokuapp.com is able to set a cookie for herokuapp.com, browsers will not be able to protect me, since herokuapp.com is not a public suffix. See http://w2spconf.com/2011/papers/session-integrity.pdf for a detailed description of the issue.
我的问题是:当浏览器无法保护我的用户时,Heroku会通过阻止 herokuapp.com 的cookie来做到这一点吗?
My question is: When browsers can't protect my users, will Heroku do it by blocking cookies for herokuapp.com?
推荐答案
就像我一样,我只是想为遇到此问题的任何人发布更新.我正在研究类似的问题,除了我想有目的地允许从两个不同的heroku应用程序访问相同的cookie.
Just wanted to post an update for anyone who ran across this question as I did. I was working on a similar problem, except that I wanted to purposefully allow access to the same cookie from two different heroku apps.
"herokuapp.com"和"herokussl.com"现在位于公共后缀列表上,因此您的如果将Cookie设置为这些域之一,则应该是安全的.我最终不得不使用自定义域才能在两个应用程序之间共享Cookie.
"herokuapp.com" and "herokussl.com" are now on the Public Suffix List, so your cookies should be safe if they are set for one of those domains. I ended up having to use custom domains in order to share cookies across both apps.
Heroku还发布了有关该主题的文章: https://devcenter.heroku.com/articles/cookies-and-herokuapp-com
Heroku also released an article on the topic: https://devcenter.heroku.com/articles/cookies-and-herokuapp-com
这篇关于在herokuapp.com上的Heroku应用程序中cookie安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
