会话密钥在Express Web框架中的重要性 [英] Importance of session secret key in Express web framework

问题描述

我很困惑于会议秘密的重要性。我正在使用Express和Node进入Web开发，目前我正在尝试实现一个简单的登录。以下代码取自Express中的会话示例。

I'm quite confused by the importance of a session secret. I'm jumping into web development with Express and Node, and at the moment, I'm trying to implement a simple login. The below code is taken from the sessions example in Express.

// Required by session() middleware
// pass the secret for signed cookies
// (required by session())
app.use(express.cookieParser('keyboard cat'));

// Populates req.session
app.use(express.session());

它使用键盘猫作为会话密钥。我关于会话秘密的许多事情都建议我把它改成一些习惯。我现在有3个具体的问题。

It uses "keyboard cat" as a session secret. Many of the things I've looked around about session secrets recommend me to change this to something custom. I now have 3 specific questions concerning this.

1. 为什么我在使用PHP时没有看到过？


2. 正在使用什么会话密钥？


3. 假设我更改会话密钥。我的代码是开源的。在这种情况下，不会改变这一点有点多余吗？我看不到要求用户选择一个自定义键。


4. 我正在考虑生成一个随机的UUID来填写密钥。有这个问题吗？ （在安全方面）

1. Why have I not seen this before when I was working with PHP?
2. What is the session secret being used for exactly?
3. Let's say I change the session key. My code is open source. Won't changing this be a bit redundant in that case? I don't see asking the user for a custom key as an option.
4. I was thinking of generating a random UUID to fill in the key. Are there problems with this? (in terms of security)

推荐答案

我认为其中的重点是错过了答案是， secret 参数是否使会话管理更加安全。在这个Security.StackExchange问​​题中很好地讨论：为什么不直接在cookie中存储会话ID？

I think that the major point is missed in the other answers, which is whether the secret parameter is making session management more secure. it is discussed nicely in this Security.StackExchange question: Why is it insecure to store the session ID in a cookie directly?

我建议阅读它（不仅最高投票答案有相关）。

I recommend reading it (not only the top voted answer there is relevant).

试图总结一下：它不会显着减少会话被猜测和劫持的机会，以防在会议ID 是大的随机数，但如果会话ID 自定义为增加ID，这在ExpressJS 中是可能的，这显然将有很大的帮助。

Trying to sum it up: it won't reduce segnificantly the chances of a session being guessed and hijacked in case that the session IDs are large random numbers, but it will obviously help greatly if the session IDs are custom like incrementing IDs, which is possible in ExpressJS.

用户可以使用他们想要的任何会话ID。也许有人觉得他们应该使用SQL数据库中的自动递增数字，这并不重要，因为我们通过签名的价值来保护他们的不知情的决定，延长密钥。

Users can use whatever session IDs they want. Perhaps someone feels like they should use an auto incrementing number from the SQL database, it doesn't matter, because we protect their uninformed decision by signing the value, elongating the key.

这篇关于会话密钥在Express Web框架中的重要性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！