大多数 Web 应用程序使用 cookie 来管理用户的会话,即使浏览器关闭,您也可以保持登录状态。
假设我们按规定做了所有事情来确保 cookie 本身是安全的。
- 加密内容
- 仅设置 http
- 设置安全
- ssl 用于连接
- 我们检查是否篡改了 cookie 的内容
是否可以防止对机器具有物理访问权限的人复制 cookie 并在另一台机器上重用它,从而窃取会话?
问问题
19058 次
2 回答
27
It doesn't make sense to "protect" against this. If this kind of copying happens, then either:
- The end user did it on purpose because they wanted to change computers. This is, of course, not something you should care about or be concerned about.
- An attacker has already compromised the user's browser and gotten access to the cookies stored inside. By definition this cookie is a secret that proves that the identity of the HTTP client. If the attacker already has access to it, they can already use it in any number of ways of their choosing that you won't be able to prevent or distinguish from the real user accessing the server legitimately.
于 2013-06-10T18:10:35.597 回答
16
这种风险是使用 cookie 对会话进行身份验证所固有的:cookie 是不记名令牌,任何可以提供 cookie 的人都经过身份验证。
这就是为什么您会看到进一步的保护,例如:
- 在一定时间或一段时间不活动后自动注销;
- 设备指纹识别;
- 需要重新验证关键操作(例如进行银行转帐或更改密码)。
于 2013-06-11T20:48:07.197 回答