防止会话劫持的最佳方法是什么? [英] What is the best way to prevent session hijacking?
问题描述
具体来说,这与何时使用客户端会话 cookie 来标识服务器上的会话有关.
Specifically this is regarding when using a client session cookie to identify a session on the server.
是否是对整个网站使用 SSL/HTTPS 加密的最佳答案,并且您最好保证没有中间人攻击能够嗅探现有的客户端会话 cookie?
Is the best answer to use SSL/HTTPS encryption for the entire web site, and you have the best guarantee that no man in the middle attacks will be able to sniff an existing client session cookie?
也许对存储在会话 cookie 中的会话值本身进行某种加密是第二好的?
And perhaps second best to use some sort of encryption on the session value itself that is stored in your session cookie?
如果恶意用户可以物理访问机器,他们仍然可以查看文件系统以检索有效的会话 cookie 并使用它来劫持会话?
If a malicious user has physical access to a machine, they can still look at the filesystem to retrieve a valid session cookie and use that to hijack a session?
推荐答案
加密会话值将产生零影响.会话 cookie 已经是一个任意值,加密它只会生成另一个可以嗅探的任意值.
Encrypting the session value will have zero effect. The session cookie is already an arbitrary value, encrypting it will just generate another arbitrary value that can be sniffed.
唯一真正的解决方案是 HTTPS.如果您不想在整个站点上使用 SSL(也许您有性能问题),您可能可以仅使用 SSL 保护敏感区域.为此,首先确保您的登录页面是 HTTPS.当用户登录时,除了常规会话 cookie 之外,还设置一个安全 cookie(意味着浏览器只会通过 SSL 链接传输它).然后,当用户访问您的敏感"区域之一时,将他们重定向到 HTTPS,并检查该安全 cookie 是否存在.真正的用户会拥有它,会话劫持者不会.
The only real solution is HTTPS. If you don't want to do SSL on your whole site (maybe you have performance concerns), you might be able to get away with only SSL protecting the sensitive areas. To do that, first make sure your login page is HTTPS. When a user logs in, set a secure cookie (meaning the browser will only transmit it over an SSL link) in addition to the regular session cookie. Then, when a user visits one of your "sensitive" areas, redirect them to HTTPS, and check for the presence of that secure cookie. A real user will have it, a session hijacker will not.
编辑:这个答案最初是在 2008 年写的.现在是 2016 年,没有理由不在整个网站上使用 SSL.没有更多的明文 HTTP!
EDIT: This answer was originally written in 2008. It's 2016 now, and there's no reason not to have SSL across your entire site. No more plaintext HTTP!
这篇关于防止会话劫持的最佳方法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
