是把数据在cookie中是否安全? [英] Is putting data in cookies secure?
问题描述
我使用asp.net的MVC 2.0,我想知道如何安全是它把信息的cookie?
就像我把我的cookie中的窗体身份验证经过加密,所以我可以把那可能是有敏感信息的票吗?
字符串的encryptedTicket = FormsAuthentication.Encrypt(authTicket)
的HttpCookie authCookie =新的HttpCookie(FormsAuthentication.FormsCookieName,encryptedTicket中);
但就像我不存储密码或类似的东西我想存储的用户ID,因为目前每时间用户发出请求到我的地盘我必须做一个查询,并得到用户用户标识,因为在我的数据库的每个表要求您使用用户标识得到正确的行了。
因此,这些开始增加快,所以我宁愿它,如果用户进行身份验证一次,然后就是这样,直到他们需要再重新进行身份验证。如果我将存储此用户id我可以节省这么多的数据库请求。
不过,我不希望它漂浮在明文作为潜在的人可以用它来试图得到一个排出来的时候,他们真的不应该是一个数据库。
显示有多好,这种加密的身份验证使用?
< DIV CLASS =h2_lin>解决方案
随着Cookie加密,你也应该实现一个旋转的标记,以防止重放攻击。
理念在于所述加密cookie包含一些值可以比服务器上的已知值。如果数据匹配,则请求成功。如果数据不匹配,那么您遇到重放攻击,需要终止会话。
更新结果
一路的意见,问我是否意味着存储在cookie的值。答案是肯定的。整个饼干应该被加密,它可以通过使用HTTP模块的自动完成。里面的加密的Cookie是你的任何普通信息+不断变化的令牌。
在各回传,检查令牌。如果它是有效的,允许交易,在cookie创建一个新的随机的令牌,存储和发送回浏览器。同样,以加密的形式。
其结果是,你的Cookie是安全的(你的是的使用3DES?)任何攻击者必须拥有一个极其有限的机会,甚至企图重放攻击窗口。如果令牌未通过审核,你可以简单地发出警报,并采取相应的措施。
所有的需要服务器端是跟踪用户和他们目前的令牌。这通常是一个小得多的DB命中不必看起来像每个页面加载的用户名小事。
更新2
我一直在试图弄清楚这究竟是不是保持存储在会话的变化值,更好或更坏。我得出的结论是,在Web服务器上存储会话旋转值也绝对没有什么,以防止重放攻击,是不是把该值在cookie中,因此不太安全。
考虑这种情况。浏览器发出请求。服务器查看会话ID和拉起会话对象,工作,然后执行,并且响应发送回浏览器。在此期间,黑帽子鲍勃记录该交易。
然后,Bob发送完全相同的请求(包括会话ID)到服务器。在这一点上是绝对没有办法让服务器知道这是来自攻击者的请求。您不能使用IP那些可能会因代理使用,您不能使用浏览器作为指纹所有信息将被记录在初始交换。此外,由于会话通常至少30分钟好,有时更长,攻击者有着相当不错的大小的窗口中工作。
所以,不管是什么,防止重放你必须发送一个变化的令牌给每个请求之后浏览器。
现在这给我们留下了这样一个问题是否也存储值,如在会话变量中的加密的cookie或存储它的服务器端的用户ID。随着会话你有诸如更高的内存和CPU利用率是被添加的担忧以及潜在问题负载均衡等有了你有一些数据量小于4KB,而且处理得当饼干,在1KB或更小的范围到的每个请求。我想这会归结到是否宁愿增加更多/大型服务器和内部网络设备来处理请求(会话)或支付稍大的互联网管(饼干)。
I am using asp.net mvc 2.0 and I am wondering how secure is it to put information in a cookie?
Like I put in my cookie a forms authentication ticket that is encrypted so can I put information that could be sensitive in there?
string encryptedTicket = FormsAuthentication.Encrypt(authTicket)
HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
Like I am not storing the password or anything like that but I want to store the UserId because currently every time the user makes a request to my site I have to do a query and get that users Userid, since every table in my db requires you to use the userId to get the right row back.
So these start to add up fast so I rather have it that if a user is authenticated once then that's it till they need to be re-authenticated again. If I would store this userId I could save so many requests to the database.
Yet I don't want it floating around in clear text as potential someone could use it to try to get a row out of a database when they really should not be.
Show how good is this encryption that Authentication uses?
Along with cookie encryption, you should also implement a rotating token to prevent replay attacks.
The idea being that the encrypted cookie contains some value which can be compared to a known value on the server. If the data matches, then the request succeeds. If the data doesn't match then you are experiencing a replay attack and need to kill the session.
UPDATE
One of the comments asked if I meant to store the value in the cookie. The answer is yes. The ENTIRE cookie should be encrypted, which can be automatically done through the use of an HttpModule. Inside the encrypted cookie is any of your normal information + the changing token.
On each post back, check the token. If it's valid, allow the transaction, create a new random token, store in the cookie, and send that back to the browser. Again, in an encrypted form.
The result is that your cookie is secure (you are using 3DES?) and any attacker would have an extremely limited window of opportunity to even attempt a replay attack. If a token didn't pass muster, you could simply sound the alarm and take appropriate measures.
All that's needed server side is to keep track of the user and their current token. Which is usually a much smaller db hit than having to look up little things like the users name on each page load.
UPDATE 2
I've been trying to figure out whether this is better or worse than keeping the changing value stored in session. The conclusion I've come to is that storing a rotating value in session on the web server does absolutely nothing to prevent replay attacks and is therefore less secure than putting that value in a cookie.
Consider this scenario. Browser makes request. Server looks at the session id and pulls up the session objects, work is then performed, and the response is sent back to the browser. In the meantime, BlackHat Bob recorded the transaction.
Bob then sends the exact same request (including session id) to the server. At this point there is absolutely no way for the server to know that this is a request from an attacker. You can't use IP as those might change due to proxy use, you can't use browser fingerprinting as all of that information would have been recorded in the initial exchange. Also, given that sessions are usually good for at least 30 minutes and sometimes much longer, the attacker has a pretty good sized window to work in.
So, no matter what, to prevent replay you have to send a changing token to the browser after each request.
Now this leaves us with the question about whether to also store values such as the user id in an encrypted cookie or store it server side in a session variable. With session you have concerns such as higher memory and cpu utilization as well as potential issues with load balancing etc. With cookies you have some amount of data that is less than 4kb, and, properly done, in the 1kb or less range that gets added to each request. I guess it will boil down to whether you would rather add more / larger servers and internal networking equipment to handle the requests (session) or pay for a slightly larger internet pipe (cookie).
这篇关于是把数据在cookie中是否安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
