如何加密网站Cookie [英] How to encrypt a website cookie

问题描述

我已阅读了有关用户能够操纵网站cookie并使用它来利用安全漏洞的信息。我做了一个搜索，并在网上发现了一个想法。这里是下面的代码，在用户的用户名和密码验证后;

I have read about users being able to manipulate website cookie and use it to exploits security loopholes. I did a search and came across an idea posted online. Here is the code below that is, after the username and password of the user are authenticated;

$Separator = '--';
$uniqueID = 'jhlhgjh12u0@345';
$Data = $userID.' '.md5('65748');

$expire=time()+60*24;
setcookie('verify-user', $Data.$Separator.md5($Data.$uniqueID), $expire);

上述代码将使用uniqueID，userID，MD5哈希值和分隔符。 uniqueID，md5哈希值和分隔符由开发人员设置。这个想法是，用户将无法操作cookie，因为不知道UniqueID和md5哈希值。

The code above will set the cookie using a uniqueID, the userID, a MD5 hash numbers and a separator. The uniqueID, md5 hash numbers and separator are set by the developer. The idea is that a user won't be able to manipulate the cookie because the don't know the UniqueID, and the md5 hash numbers. The code below is used to test each cookie if they are manipulated or not

if ($_COOKIE) {

$Separator="--";
$uniqueID = 'jhlhgjh12u0@345';

$Cut = explode($Separator, $_COOKIE['verify-user']);
if (md5($Cut[0].$uniqueID) === $Cut[1]) {
   $_COOKIE['verify-user'] = $Cut[0];

 } else {

   echo "fake cookie";

}
}
else {
   echo "fake cookie";
}

我想知道这种方法是安全性还是漏洞。欢迎批评和更正

I am wondering if this method is security tight or if there are loopholes too. criticism and corrections are welcomed

推荐答案

这称为消息签名。您将消息与秘密一起散列，并将签名附加到消息本身。这允许接收者验证消息的创建者/签名者是否拥有该秘密，而不揭示秘密本身。

This is known as message signing. You hash the message together with a secret and attach that "signature" to the message itself. This allows the recipient to verify that the creator/signer of the message is in possession of the secret, without revealing the secret itself.

您的特定实现的问题是，

The problem with your particular implementation is that

• 秘密过小


• 散列算法不适用于任务


• Cookie永远不会更改，永不过期;如果Cookie被盗，则没有追索权。

您应该使用更长的秘密，越长越好。您还应该使用适合该任务的散列算法，即类似于HMAC（基于散列的消息认证）。例如：

You should use a longer secret, the longer the better. You should also use a hashing algorithm that is suited for the task, namely something like HMAC (hash-based message authentication). E.g.:

hash_hmac('sha512', $data, $secret)

您可以看到类似事件的实现，包括值到期，此处。

You can see an implementation of a similar thing, including expiration of values, here.

事情虽然：三次认为签名的纯文本消息是否是最好的方式去这里的第一位。也许你想要一个会话式的系统，其中一个完全无意义的随机字符串被用作存储在服务器上的数据的id。这完全消除了用户操纵Cookie的问题。

The most important thing though: think thrice about whether a signed plain text message is the best way to go here in the first place. Perhaps you want a session-like system, in which an entirely meaningless random string is used as an id for data that is stored on the server. This completely eliminates the problem of users manipulating the cookie.

这篇关于如何加密网站Cookie的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！