6

我对网站开发相当陌生。我正在一个用户使用用户名/密码登录的网站上工作,并从服务器获取 sessionID 作为响应。这个 sessionID 会随每个请求发送回服务器(并返回一个新的)。

如果用户在多个选项卡或窗口中打开它,我希望该站点能够正常工作。即,一旦在一个选项卡上登录,在另一个选项卡中打开一个仅限会员的 URL 就可以在没有登录的情况下工作。(并且,在一个选项卡中注销会从所有选项卡中注销。)如果不将最新的 sessionID 存储在曲奇饼。这样,最新的 sessionID 可以在所有选项卡之间“共享”。

但是,我开始阅读 cookie 和一些安全威胁。我不知道每个请求都会发送 cookie。我永远不需要将我的 cookie 发送到服务器。sessionID 被添加到 xhr 请求的标头中——不作为 cookie 读取。所以我想知道是否有办法禁用发送这个cookie。我这样做的唯一目的是允许同一个浏览器中的多个选项卡/窗口共享同一个会话。

我正在阅读cookies 的路径参数。显然这可以用来限制cookie何时发送到服务器?如果我将路径设置为永远不会使用的东西怎么办?这会阻止 cookie 自动发送出去吗?我只想从 JavaScript 访问它。

一位同事在这个应用程序的服务器端设置了很多保护措施,这里我就不赘述了。所以这个问题是关于我可以并且应该采取哪些客户端预防措施,特别是对于 cookie,以获得最佳安全性。如果有更好的方法让仅限会员的网站在同时打开多个选项卡的情况下正常工作,我会全力以赴。

4

3 回答 3

7

I discovered just now that in HTML 5 there is local storage, which stores key/value pairs much like a cookie, but is not sent with every server request. Since it's supported in every browser except IE 7 and earlier, I'll be switching to this to enable sharing data between tabs when available, and use cookies instead on IE 7 and earlier.

于 2013-08-09T22:45:17.283 回答
1

sessionID 已经存储在 cookie 中,无需管理它。因为 HTTP 协议是无状态的,所以保持状态的唯一方法是通过 cookie。当您设置会话值时会发生什么,服务器将查找与该 cookie id(会话 ID)关联的项目的字典。

无状态的意思是在请求之间,HTTP 不知道您是否还活着或关闭了浏览器。因此,对于每个请求,浏览器都会将所有 cookie 值附加到域上的请求中。当他们访问您的站点时,SessionId 会自动存储在 cookie 中。服务器然后使用该值来查找您在用户会话中设置的任何内容。

根据您使用的编程语言和/或服务器,会话的处理方式可能有所不同,但这通常是从程序员那里抽象出来的。

Now with respect to sessions, there are a number of different things that make them insecure. For example if an attacker were able to get their hands on your session cookie value they could replay that cookie and take over your session. So sessions aren't a terribly secure way of storing user information. Instead what most people do is create an encrypted cookie value with the users details, the cookie could be a "session cookie" meaning as soon as the user closes their browser window the cookie is thrown away from the browser. The encrypted cookie contains user information and role information as well as some identifier (usually the clients ip address) to verify that the user who is submitting the request is the same user the cookie was issued to. In most programming languages there are tools that help in abstracting that away as well (such as the ASP.NET membership provider model).

Check out some details on the HTTP protocol and HTTP cookies on Wikipedia first

and check out the membership provider model on ASP.NET, it's a really good tool for helping to secure your site.

http://msdn.microsoft.com/en-us/library/sx3h274z(v=vs.100).aspx

于 2013-08-08T22:36:44.240 回答
1

Preventing the browser sending cookies seems to defeat the object of using cookies in the first place.

If you don't want the sessionID to be sent with each request, why set the cookie? A better solution would be to use a custom response header that you send from the server to the browser - this will then be under your control and will not be sent automatically with all browser requests. You are using request headers to send your sessionID anyway so you could receive them from the server using a custom header and read this into your JavaScript from each XHR.

于 2013-08-09T09:17:11.607 回答