Cookies是安全风险吗？ [英] Are Cookies a Security Risk?

问题描述

假设我们有一个网站要求用户输入他的姓名。

Assume we have a website that asks the user for his name.

然后网站会将此值存储在Cookie中，并在下一页通过PHP并以某种方式使用它（也许页面显示的名称为文本）。

The website then stores this value in a cookie, and on the next page, retrieves it via PHP and uses it somehow (perhaps the page displays the name as text).

用户可以修改cookie数据注入恶意代码吗？是否应该通过脚本检索Cookie数据进行清理？

Could a user modify the cookie data to inject malicious code? Should cookie data be sanitized as it's retrieved by the script?

（这是一个假设情况，显然这里不需要cookie。）

(This is a hypothetical scenario. Obviously a cookie wouldn't be necessary here.)

推荐答案

用户可以修改cookie数据以注入恶意代码吗？是否应该在脚本检索到Cookie时对其进行清理？

Could a user modify the cookie data to inject malicious code? Should cookies be sanitized as they're retrieved by the script?

注入恶意代码？不是PHP代码，但你是正确的，你应该清理cookie值之前使用它们。

Inject malicious code? Not PHP code, but you are right that you should sanitize cookie values before working with them.

Cookie可以很容易地修改，添加和删除的用户，应该被视为不可信用户输入。他们只是像任何其他用户输入一样容易XSS和SQL注入的可扩展性。

Cookies can be easily modified, added and deleted by users and should be treated as untrusted user input. They are just as prone to XSS and SQL injection vunlerabilities as any other user input.

此外，除非你使用SSL，Cookie只是倾向于嗅探GET或POST数据。恶意互联网服务可以拦截或修改Cookie。另请参阅 Firesheep 了解如何滥用和不可信任Cookie的示例。

Further, unless you're using SSL, cookies are just as prone to sniffing as GET or POST data in a request. Malicious internet services can intercept or modify cookies. Also see Firesheep for an example of how cookies can be misused and mistrusted.

这篇关于Cookies是安全风险吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！