其中哪些可以在客户端操纵 [英] Which of those can be manipulated on client side

问题描述

我的一个朋友有一份工作面试，并被问及几个问题。其中一个问题是

其中哪些可以在客户端操作：
Cookie数据，会话数据，远程ip，用户代理

我会说，会话是唯一一个你不能主动（我的意思是，你可以劫持它，但你不能改变它的数据，因为问题建议）

您认为如何？

解决方案

Cookie数据和用户代理显然可以随意操作。 / p>

就像你说的会话数据本身不能被操作，你只能劫持会话，窃取用于关联用户和会话的cookie ... ... / p>

远程IP是一个困难的电话。由于http是基于TCP，你不能伪造任意远程IP。您可以使用代理隐藏您的真实IP。但是假冒另一个IP，您需要能够接收寻址到该IP的数据包。只有当你是到该IP的路由的一部分，你通常才能这样做。相关旧问题应用程序安全问题：伪造IP地址有多容易？

A friend of mine had a job interview and was asked few multichoice questions. One of the question was

Which of those can be manipulated on client side: cookie data, session data, remote ip, user agent

I'd say that session is the only one you cannot mainpulate (I mean, you can hijack it etc but you cannot change it's data as questions suggests)

What do you think?

解决方案

Cookie data and user agent can obviously be manipulated at will.

Just like you said session data itself can't be manipulated, you can only hijack sessions, steal the cookies used to associate a user with a session,...

Remote IP is a difficult call. Since http is based on TCP you can't fake arbitrary remote IPs. You can hide your real IP using proxies. But to fake another IP you need to be able to receive packets addressed to that IP. And you usually can do that only if you're part of the route to that IP. Related old question Application Security Concerns: How easy is it to fake an IP-Address?

这篇关于其中哪些可以在客户端操纵的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！