How to protect session against theft?
Simple test:
How to protect session (and maybe csrf token) against theft?
By doing the above, it should be impossible for an attacker to intercept the session id. It's also a good idea to use secure Cookies. This will prevent the cookie being sent for non-secure resources (eg loading images/css via http which doesn't require authentication)
You can optionally try to tie a session to an IP address but that's not a perfect solution. It fails to defend against an attacker behind same NAT as the user, and can fail to authenticate a valid user who has multiple routes to the internet.
To clarify: You will always be able to see your own session id. The trick is making sure nobody else can see it. It's effectively a temporary password. Secure cookies are encrypted on disk by most browsers (reversible). It's encrypted again for transmission over SSL to the server.
Assuming you're talking to the right server [a different issue], the only way an attacker can get your session id is to either install malware on your machine or break Ssl.
Frequent changes to the id mean an attacker will only have a short window before they must start over.
链接地址: http://www.djcxy.com/p/21746.html上一篇: ASP .NET MVC敏感数据
下一篇: 如何保护会话防盗?