Rails 4加密Cookie重放攻击 [英] Rails 4 Encrypted Cookie Replay Attack
问题描述
我最近升级到Rails 4,并将加密的Cookie切换为会话存储。不幸的是,这似乎意味着重放攻击是可能的,即如果用户注销,任何cookie不会无效,并且可以用于认证没有用户/通过。据我所知,这是一个缺陷,如何加密的cookie工作(如果我错了请指教我!),所以我的问题是:是否有一个接受的解决方案,防止使用加密的Cookie的重放攻击?
I upgraded to Rails 4 recently and switched to encrypted cookies as session storage. Unfortunately this seems to mean that replay attacks are possible, i.e. if a user logs out, any cookies are not invalidated and can be used to authenticate without user/pass. As far as I can tell this is a flaw in how encrypted cookies work (if i'm wrong please enlighten me!), so my question is: is there an accepted solution to preventing replay attacks using encrypted cookies?
推荐答案
经过一些研究和一些修补,我想出了以下解决方案。
After some research and some tinkering, I have come up with the following solution.
- 当用户登录时,创建一个随机秘密(随机的随机秘密应该具有低匹配概率)
- 在请求需要验证的页面时,请阅读
- 在注销时,从缓存中删除密码,因此任何使用相同Cookie的后续请求都会失效。
- When user logs in, create a random secret (random in the sense that subsequent secrets should have a low probability of matching)
- Store that secret in the session, i.e. in the cookie, as well as server side, I'm using the Dalli gem to provide memcached functionality
- On a request for a page that requires authentication, read the secret from the cookie, and make sure it exists server side
- On logout, delete secret from cache, so any subsequent requests using the same cookies will be invalidated
只要Cookie不能被篡改,那么这应该是安全的。欢迎任何想法/评论
As long as the cookies cannot be tampered with, then this should be secure. Any thoughts/comments are welcome
这篇关于Rails 4加密Cookie重放攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!