Cookies instead of sessions?

2018-06-07 18:17:23

What I've read and know about sessions is that they aren't really reliable with all that session id hijacking and stuff. So I decided I won't use sessions in my project, I'd rather just go with ordinary cookies and hope for the best.

So basically what I have set up is kind of like a session but hopefully will be harder to crack. Unfortunately I seem to be unable to build it hard-to-crack. So basically I guess this is more of a security question rather than the choice between cookies or sessions, but I cannot seem to find this in any straight text.

What am I supposed to hash in the session cookie and how? I've read that hashing algorithms can collide and it's just a matter of seconds before an attacker can create a string that would collide, with what is actually in the cookie, when hashed even though it may not be the same. I guess what I'm trying to ask is what is the proper way of saving this information in a cookie and actually what information should I store there?

I know that basically with httpOnly no attacker should be able to grab a hold of a cookie but I suppose that this project may and probably wont use SSL so there's the old tapping method available. I know that I'm trying to build a skyscraper with sticks and stones here but asking is still worth a shot.

The problem with eschewing sessions entirely is that some values should not be user settable. For example, if you had a session variable is_logged_in , which is set only when the user successfully authenticates, then it'll be tricky to implement this with a cookie securely. The problem there is that the user can set their own cookie (since it comes from the client side) and log themselves in without a password.

Now, you could use this approach by storing the user's credentials in cookies and authenticating for every request, but that too suffers from a number of problems. Firstly, it is a good idea to limit how often you send credentials to the server in plaintext; if you use sessions, then you send them only once. Secondly, this approach means that passwords are stored on the local computer unencrypted (stored passwords for websites are usually encrypted with a master password**). So, this approach arguably worsens the user's overall security.

You could mitigate these problems by logging on, and have your login system set encrypted cookies (using symmetric encryption). These would be decrypted and authenticated for every request, and would be safe to transmit for every request, and would be safer to store on local computer cookies. However, here you are adding quite a bit of complexity.

Thus, I'd be inclined to advise that you persist with using sessions, but do the necessary reading around any security issues that arise.

** Recently it was found that Chrome stores saved passwords in plaintext, with no option to encrypt them with a master password (see here). This started a debate online about whether some security features are just "theatre" (ie only look secure without actually adding tangible extra security).

Actually, you want to replace cookies (from sessions) with cookies. Doesn't make sense!

链接地址: http://www.djcxy.com/p/23666.html

上一篇: PHP安全会话和cookie

下一篇: Cookies而不是会话？