如何保护客户端会话 ID? [英] How are client side Session Ids protected?

问题描述

是什么阻止某人登录网站 Z.进入保存网站 Z 的 Session_Id 的 cookie，并对其进行摆弄以成为服务器识别的其他人?

What keeps someone from logging in to web-site Z. Going into the cookie holding the Session_Id for web-site Z, and fiddling with it to becomes someone else as identified by the server?

推荐答案

除了会话 ID 的长度和基数之外别无他物.如果它很长，那么在发现碰撞之前需要数万亿次(或更多)次尝试.更长的 id 将可能的 id 数量乘以散列的基数，因此如果您的散列包含数字和小写字母，则每个额外的字符都会将可能性乘以 36.

Nothing but the length and base of session ids. If it is quite long it would take trillions (or more) tries before a collision is found. Longer ids multiply the number of possible ids by the base of the hash, so if your hash has numbers and lowercase letters, every extra character multiplies the possibilities by 36.

一个 20 个字符的哈希值会给你 36^20 种不同的可能性.如果将 id 的长度加倍，则会得到 36^40 种不同的可能性.使任何人更难暴力破解另一个帐户.

A 20 character hash will give you 36^20 different possibilities. If you double the length of the id, you get 36^40 different possibilities. Making it much harder for anyone to brute force into another account.

这篇关于如何保护客户端会话 ID?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！