网站如何安全地支持http(非SSLed)会话? [英] How do sites support http (non-SSLed) sessions securely?
问题描述
我注意到,某些网站(例如gmail)允许用户通过https进行身份验证,然后使用非安全Cookie将其转换为http以供网站主要使用。
I note that some sites (such as gmail) allow the user to authenticate over https and then switch to http with non-secure cookies for the main use of the site.
如何让http访问会话,但仍然安全?或者是不安全,因此这是为什么gmail给出了使用https保护整个会话的选项?
How is it possible to have http access to a session but this still be secure? Or is it not secure and hence this is why gmail gives the option to have the entire session secured using https?
请举例说明这是如何工作的,避免会话劫持攻击,同时仍然允许通过http访问验证的内容。我想要能够实现这样的方案,如果它是安全的,以避免整个网站作为https的性能原因。
Please give an example of how this works and avoids session hijacking attacks, whilst still allowing access to authenticated content over http. I want to be able to implement such a scheme if it's secure, to avoid having to have a whole site as https for performance reasons.
推荐答案
正如Thilo所说,但我会进一步解释:)
As Thilo said, but I'll explain a little further :)
网络服务器是无状态的!这真的是认证的问题。您不能只是登录,然后说从现在开始,此用户已登录 - 您需要一些方法来确定哪个用户是这次请求一个新的网站。
A webserver is stateless! This is really the problem of the authentication-case. You can't just log in, and then say "from now in, this user is logged in" - you need some way to identify which user it is that's requesting a new site this time.
这样做的一种常见方法是实现会话。如果您在登录时打包网络流量,然后浏览网站,则通常会注意到以下情况:
A common way of doing this is by implementing sessions. If you packet-sniff your network traffic while logging into, and then browsing a site you'll commonly notice something like this:
登录:您将传输您的用户名和密码到服务器。完全未加密! (SSL / HTTPS将加密此请求,以避免中间人攻击)
Logging in: You will transmit your username and password to the server. Completely unencrypted! (SSL / HTTPS will encrypt this request for you to avoid man-in-the-middle attacks)
响应:您将收到一个随机生成的很多奇怪的字符串字符。这些通常存储在cookie中。
Response: You will receive a randomly generated string of a lot of weird characters. These will typically be stored in a cookie.
某些网站的请求只有您应该可以访问:您将发送随机生成的字符串到服务器。服务器将查找此字符串,并看到它与您的会话相关联。这允许服务器识别您,并授予您访问您的网站的权限。
Request of some site only you should have access to: You will transmit the randomly generated string to the server. The server will look this string up, and see that it's associated with your session. This allows the server to identify you, and grant you access to your sites.
..现在,HTTP本身不安全。这意味着您的密码和会话cookie(随机生成的字符串)将完全未加密传输。如果有人访问您的流量(通过木马,路由器劫持,任何),他将能够看到您的用户名/密码,当您登录,如果您不使用HTTPS。这将授予他访问您的网站,直到您更改密码(除非他先更改它:P)。在其余请求中,他将能够获取您的会话Cookie,这意味着他可以在该Cookie生命周期的其余部分窃取您的身份(直到您注销,或者会话在服务器上到期)。
.. Now, HTTP in itself is not secure. This means that your password and your session-cookie (the randomly generated string) will be transmitted completely un-encrypted. If someone has access to your traffic (through trojans, router hijacking, whatever), he will be able to see your username / password when you log in, if you're not using HTTPS. This will grant him access to your site untill you change your password (unless he changes it first :P ). In the rest of the requests he will be able to get your session cookie, which means he could steal your identity for the rest of that cookie lifecycle ('till you log out, or the session expires on the server).
如果你想要安全,使用HTTPS。实际上,将键盘记录器社交到计算机中比阅读所有流量容易得多)。
If you want to feel secure, use HTTPS. Realistically though, it's a lot easier to social engineer a keylogger into your computer than it is to read all your traffic :)
(或者像其他人指出的那样,使用cross站点脚本来读取会话cookie)
(Or as others have pointed out, use cross-site-scripting to read your session cookie)
这篇关于网站如何安全地支持http(非SSLed)会话?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
