是有用的cookie加密的会话ID(或其他身份验证值)呢? [英] Is encrypting session id (or other authenticate value) in cookie useful at all?
问题描述
在Web开发中,启用会话状态时,会话ID存储在cookie的(在cookie的模式,查询字符串将被用来代替)。在asp.net中,会话ID自动加密。有很多在互联网上的主题关于如何你应该加密您的cookie,包括会话ID。我能理解为什么要加密的私人信息,如出生日期,但任何私人信息不应该在第一个地方存储在cookie中。因此,对于其它cookie的值,如会话ID,目的是什么加密?是否在所有添加安全?无论你如何保护它,它就会被发送回服务器进行解密。
In web development, when session state is enabled, a session id is stored in cookie(in cookieless mode, query string will be used instead). In asp.net, the session id is encrypted automatically. There are plenty of topics on the internet regarding how you should encrypt your cookie, including session id. I can understand why you want to encrypt private info such as DOB, but any private info should not be stored in cookie at first place. So for other cookie values such as session id, what is the purpose encryption? Does it add security at all? no matter how you secure it, it will be sent back to server for decryption.
被更具体地,
有关身份验证的目的,
- 关闭会话,我不想处理会话超时更多
- 存储某种价值的id在cookie中,
- 在服务器端,检查id值存在并且匹配,如果是,验证用户。
- 让当浏览器会话结束cookie值到期,这样一来。
VS
Asp.net形式的认证机制(它依赖于会话或会话ID,我认为)
Asp.net form authentication mechanism (it relies on session or session id, i think)
确实后者提供更好的安全性?
does latter one offer better security?
推荐答案
在诸如会话劫持攻击会瞄准一个有效的会话ID。如果你现在会加密会话ID,攻击者只会瞄准加密的会话ID和你不会有任何优势。所以加密会话ID是没用的。记住会话ID仅仅是用来标识会话的随机值。攻击者不需要知道,如果这个随机值有一些特定的含义;他们只需要知道随机值。
Attacks on sessions like Session Hijacking aim for a valid session ID. If you now would encrypt the session ID, attackers would simply aim for the encrypted session ID and you wouldn’t have any advantage. So encrypting the session ID is useless. Remember that the session ID is just a random value that is used to identify a session. Attackers don’t need to know if that random value has some specific meaning; they just need to know that random value.
如果您要保护您的会话,使用HTTPS加密通过SSL整个HTTP通信,只与标志设置的cookie
If you want to secure your session, use HTTPS to encrypt the whole HTTP communication via SSL and set the cookies only with the flags
- 的安全的只允许通过HTTPS发送cookie和
- 的仅Http 的通过JavaScript禁止本地访问。
- secure to only allow the cookie to be send via HTTPS and
- HttpOnly to forbid local access via JavaScript.
这篇关于是有用的cookie加密的会话ID(或其他身份验证值)呢?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
