如何安全地存储会话 ID [英] How to store Session ID securely
问题描述
我是一名学习密码学的学生.在网上搜索后,我仍然无法找到我的问题的答案.我想知道如何为电子商务网站安全地存储会话 ID.如果有可能,怎么可能?请用外行的术语解释它.期待您的有用答案.
I am a student learning about cryptography. After searching online, I am still unable to find an answer to my question. I am wondering how to store a session ID securely for an ecommerce website. If it is possible, how so? Please do explain it in Layman's term. Looking forward to your helpful answers.
干杯
推荐答案
会话 ID 通常只是在客户端和服务器之间传递的随机(不透明)标识符.服务器使用标识符在数据库中查找状态信息(例如当前购物车内容).
Session IDs are usually just a random (opaque) identifier that is passed between the client and the server. The server uses the identifier to look up state information (e.g. current cart content) in the database.
实际上,您必须相信客户端会保护会话 ID,因为一旦您将其发送给他们,它就会变成静态令牌——再多的密码学也无法解决任何人都可以呈现会话的事实id 然后伪装成用户.
As a practical matter, you have to trust that the client will protect the session id, as once you send it to them, it becomes a static token -- no amount of cryptography can fix the fact that anyone can present a session id and then pretend to be the user.
您可以采取一些措施来缓解问题:
There are some things that you can do to mitigate issues:
确保您使用足够安全"的随机生成器来构建令牌
ensure you are using a "secure enough" random generator to build the token
确保令牌的传输尽可能安全,防止窃听或客户端盗窃(例如使用 SSL、httponly 和安全 cookie 标志)
make sure the transmission of the token is as secure as possible against eavesdropping or client-side theft (e.g. use SSL, httponly and secure cookie flags)
给令牌一个合理的超时时间,并要求用户定期使用例如请求一个新令牌.刷新令牌或重新登录.
Give the token a reasonable timeout, and require the user to request a new token periodically using e.g. a refresh token or re-login.
人们对这如何实际工作进行了很多思考 - 看看 OAuth2/OpenID Connect 协议.
A lot of thought has gone in to how this can work practically - have a look at the OAuth2 / OpenID Connect protocols.
这篇关于如何安全地存储会话 ID的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
