donglu4159 2014-06-28 17:28
浏览 18
已采纳

会话和Cookie安全

So the sessions are getting stored server-side, which means the client can't edit them. On the client side the cookie gets stored and save an id to find the right session.

Now my question is. Can a random user edit his own cookie, and then enter Eg. an admin's session?

  • 写回答

3条回答 默认 最新

  • duanaidang6197 2014-06-28 17:51
    关注

    In most scenarios, the data in the session is itself secure against user tampering as it is only manipulated on the server (this assumes the server itself is secure). So there is no reason to treat the data stored in session as "dirty" as far as needing to cleanse/validate it.

    The session itself is not inherently secure whether it is being propagated via cookies or via URL parameter. It can be impersonated via a session hijacking attack. There are a number of common techniques to prevent against this, including:

    • using only secure cookies transmitted over SSL
    • using sufficiently long session ID's (most default implementation uses in modern langugaes do this by default). This makes it harder to "guess" at a valid session id value and minimize collision of session ID's.
    • regenerating session ID's after application login
    • checking against secondary data (IP address, browser user agent, etc.) to see if there are changes during a session which may indicate a hijacking attempt. Probably best to use a combination of factors here (like a change in both IP address and user agent since with mobile devices IP addresses can and do change).
    • active session id rotation (i.e rotate session id on each page load)
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

  • 会话Cookie安全 php
    2014-06-28 17:28
    回答 3 已采纳 In most scenarios, the data in the session is itself secure against user tampering as it is only m
  • 无法在PHP中销毁会话cookie php
    2014-04-11 04:22
    回答 1 已采纳 It seems like your cookies are being set on different paths. The 4th parameter is the domain path
  • Php CURL用于cookie会话 php
    2014-04-24 07:55
    回答 2 已采纳 define('POSTURL', 'http://hostfast.info/includes/process.php?action=update'); define('POSTVARS',
  • php使用Cookie实现和用户会话的方法
    2020-10-24 20:24
    主要介绍了php使用Cookie实现和用户会话的方法,分析了Cookie的原理、设置与使用技巧,需要的朋友可以参考下
  • 缺少会话变量和cookie php
    2015-09-05 15:36
    回答 1 已采纳 Have you checked with your provider as to whether they are allowing session state variables? Is y
  • 使用会话php创建cookie php
    2016-02-26 06:46
    回答 2 已采纳 By default, when we are setting up a session data, a session cookie will be saved on client's brow
  • php设置会话cookie php
    2013-02-12 13:15
    回答 3 已采纳 I will note that this is not secure, as any one can create the cookie, using something like firebu
  • PHP会话操作之cookie用法分析
    2021-01-20 00:34
    本文实例分析了PHP cookie用法。分享给大家供大家参考,具体如下: 会话技术:cookie ...默认是临时cookie,也叫会话cookie会话结束(浏览器关闭)就清除。可以通过设置时间戳(1970年第一秒起)确
  • php中设置cookie并通过ajax运行会话 ajax php
    2018-05-20 10:50
    回答 1 已采纳 Did you using session_start(); before you set value of session. for example: <?php sessi
  • 如何正确设置会话存储的用户名和cookie html php
    2017-06-27 13:27
    回答 1 已采纳 You have an if else statement: if(!empty($rememberme)){ setcookie('username', $user
  • 删除会话cookie php
    2013-09-08 18:32
    回答 3 已采纳 setcookie( session_name(), "", time()-3600, '/'); Works! The missing part to remove the session
  • PHP cookie与session会话基本用法实例分析
    2020-10-15 23:33
    主要介绍了PHP cookie与session会话基本用法,结合实例形式分析了PHP cookie与session会话基本存储、设置、删除等相关使用方式,需要的朋友可以参考下
  • CodeIgniter会话cookie php
    2013-10-04 21:24
    回答 1 已采纳 You can change/set the value of sess_expiration config variable in the file application/config/con
  • php cookie工作原理与实例详解
    2020-12-18 15:00
    Cookie会话状态 做BS开发,这两个概念必不可少,先来个大概了解,没有实际应用很难深入,深入看参考地址! 什么是 CookieCookie 是一小段文本信息,伴随着用户请求和页面在 Web 服务器和浏览器之间传递。用户...
  • PHP会话控制SESSION与COOKIE
    2022-04-07 15:52
    PHP会话控制SESSION与COOKIE
  • 没有解决我的问题, 去提问

悬赏问题

  • ¥15 Matlab在app上输入带有矩阵形式的初始条件发生错误
  • ¥15 CST仿真别人的模型结果仿真结果S参数完全不对
  • ¥15 误删注册表文件致win10无法开启
  • ¥15 请问在阿里云服务器中怎么利用数据库制作网站
  • ¥60 ESP32怎么烧录自启动程序
  • ¥50 html2canvas超出滚动条不显示
  • ¥15 java业务性能问题求解(sql,业务设计相关)
  • ¥15 52810 尾椎c三个a 写蓝牙地址
  • ¥15 elmos524.33 eeprom的读写问题
  • ¥15 用ADS设计一款的射频功率放大器