将数据放入 cookie 是否安全? [英] Is putting data in cookies secure?

问题描述

我正在使用 asp.net mvc 2.0，我想知道将信息放入 cookie 有多安全?

I am using asp.net mvc 2.0 and I am wondering how secure is it to put information in a cookie?

就像我在我的 cookie 中放入了一个经过加密的表单身份验证票证，所以我可以在其中放入可能敏感的信息吗?

Like I put in my cookie a forms authentication ticket that is encrypted so can I put information that could be sensitive in there?

string encryptedTicket = FormsAuthentication.Encrypt(authTicket)
HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);

就像我没有存储密码或类似的东西，但我想存储 UserId，因为目前每次用户向我的网站发出请求时，我都必须进行查询并获取该用户的用户 ID，因为我的每个表db 要求您使用 userId 来取回正确的行.

Like I am not storing the password or anything like that but I want to store the UserId because currently every time the user makes a request to my site I have to do a query and get that users Userid, since every table in my db requires you to use the userId to get the right row back.

所以这些开始快速加起来，所以我宁愿这样，如果用户通过了一次身份验证，那么就是这样，直到他们需要再次重新进行身份验证.如果我要存储这个 userId，我可以将这么多的请求保存到数据库中.

So these start to add up fast so I rather have it that if a user is authenticated once then that's it till they need to be re-authenticated again. If I would store this userId I could save so many requests to the database.

但我不希望它以明文形式浮动，因为可能有人会在他们确实不应该这样做时使用它来尝试从数据库中获取一行.

Yet I don't want it floating around in clear text as potential someone could use it to try to get a row out of a database when they really should not be.

显示身份验证使用的这种加密有多好?

Show how good is this encryption that Authentication uses?

推荐答案

除了 cookie 加密，你还应该实现一个循环令牌来防止重放攻击.

Along with cookie encryption, you should also implement a rotating token to prevent replay attacks.

这个想法是加密的 cookie 包含一些可以与服务器上的已知值进行比较的值.如果数据匹配，则请求成功.如果数据不匹配，那么您遇到了重放攻击，需要终止会话.

The idea being that the encrypted cookie contains some value which can be compared to a known value on the server. If the data matches, then the request succeeds. If the data doesn't match then you are experiencing a replay attack and need to kill the session.

更新
其中一条评论询问我是否打算将值存储在 cookie 中.答案是肯定的.应该对整个 cookie 进行加密，这可以通过使用 HttpModule 自动完成.encrypted cookie 内是您的任何正常信息 + 更改令牌.

UPDATE
One of the comments asked if I meant to store the value in the cookie. The answer is yes. The ENTIRE cookie should be encrypted, which can be automatically done through the use of an HttpModule. Inside the encrypted cookie is any of your normal information + the changing token.

在每次回帖时，检查令牌.如果有效，则允许交易，创建一个新的随机令牌，存储在 cookie 中，然后将其发送回浏览器.同样，以加密形式.

On each post back, check the token. If it's valid, allow the transaction, create a new random token, store in the cookie, and send that back to the browser. Again, in an encrypted form.

结果是您的 cookie 是安全的(您正在使用 3DES?)并且任何攻击者都将有极其有限的机会窗口来尝试重放攻击.如果令牌没有通过集合，您可以简单地拉响警报并采取适当的措施.

The result is that your cookie is secure (you are using 3DES?) and any attacker would have an extremely limited window of opportunity to even attempt a replay attack. If a token didn't pass muster, you could simply sound the alarm and take appropriate measures.

服务器端所需要做的就是跟踪用户及其当前令牌.这通常比在每次加载页面时都需要查找用户名之类的小东西要小得多.

All that's needed server side is to keep track of the user and their current token. Which is usually a much smaller db hit than having to look up little things like the users name on each page load.

更新 2
我一直在试图弄清楚这是否比将更改的值存储在会话中更好或更差.我得出的结论是，在 Web 服务器上的会话中存储轮换值绝对不能防止重放攻击，因此不如将该值放入 cookie 安全.

UPDATE 2
I've been trying to figure out whether this is better or worse than keeping the changing value stored in session. The conclusion I've come to is that storing a rotating value in session on the web server does absolutely nothing to prevent replay attacks and is therefore less secure than putting that value in a cookie.

考虑这种情况.浏览器发出请求.服务器查看会话 ID 并提取会话对象，然后执行工作，并将响应发送回浏览器.与此同时，BlackHat Bob 记录了这笔交易.

Consider this scenario. Browser makes request. Server looks at the session id and pulls up the session objects, work is then performed, and the response is sent back to the browser. In the meantime, BlackHat Bob recorded the transaction.

Bob 然后将完全相同的请求(包括会话 ID)发送到服务器.此时，服务器绝对无法知道这是来自攻击者的请求.您不能使用 IP，因为这些可能会因使用代理而改变，您不能使用浏览器指纹，因为所有这些信息都已记录在初始交换中.此外，鉴于会话通常至少持续 30 分钟，有时甚至更长，攻击者有一个相当大的窗口可以工作.

Bob then sends the exact same request (including session id) to the server. At this point there is absolutely no way for the server to know that this is a request from an attacker. You can't use IP as those might change due to proxy use, you can't use browser fingerprinting as all of that information would have been recorded in the initial exchange. Also, given that sessions are usually good for at least 30 minutes and sometimes much longer, the attacker has a pretty good sized window to work in.

因此，无论如何，为了防止重放，您必须在每次请求后向浏览器发送一个更改令牌.

So, no matter what, to prevent replay you have to send a changing token to the browser after each request.

现在这给我们留下了一个问题，即是否也将诸如用户ID之类的值存储在加密的cookie中，还是将其存储在服务器端的会话变量中.对于会话，您会担心更高的内存和 cpu 利用率以及负载平衡等潜在问题.对于 cookie，您有一些小于 4kb 的数据量，并且如果处理得当，添加的数据量在 1kb 或更少的范围内对每个请求.我想这将归结为您是否愿意添加更多/更大的服务器和内部网络设备来处理请求(会话)或支付稍大的互联网管道(cookie).

Now this leaves us with the question about whether to also store values such as the user id in an encrypted cookie or store it server side in a session variable. With session you have concerns such as higher memory and cpu utilization as well as potential issues with load balancing etc. With cookies you have some amount of data that is less than 4kb, and, properly done, in the 1kb or less range that gets added to each request. I guess it will boil down to whether you would rather add more / larger servers and internal networking equipment to handle the requests (session) or pay for a slightly larger internet pipe (cookie).

这篇关于将数据放入 cookie 是否安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！