I don't understand why we have to secure the cookies and session, I have a cookie that store userid, username encrypted password.
I have a function that checks the cookies at any moment if is the information matches with DataBase information, if not, redirect to login page. however I don't understand the risk with that can view this information and what he can do with this information.
Can anyone explain to me what is risk ?
It's hard to quantify in exact terms. First, remember that cookies are transferred between the client and the server in every single request . That's potentially many opportunities for someone to intercept them. Just assume that cookies will be intercepted at some point by somebody.
Storing the username, userid and (encrypted) password in the cookie:
leaks information which may or may not be useful or usable for nefarious purposes; ie for a successful login you need a username and a password, and you are waving both high up in the air shouting CAPTURE ME , the username even in plaintext relies solely on the secrecy of your encryption algorithm for the password; if it becomes known, you have quite a security problem since the encrypted password is known, an offline brute force attack can be mounted against it to reveal the encryption algorithm and plaintext password; this attack may or may not be purely theoretical, the fact that it exists at all should bother you if it is possible at all to decrypt the password, you have already lost; the password is a secret only the user alone should know, not even you want to know at any point what the password is; if you do know the password, you have a giant responsibility to safeguard it, certainly you do not want to send it back and forth over HTTP the whole time; → see password hashing gives you no control over anything, all login information rests with the client (ie what do you do if you know any of the above was compromised?) does not let you change passwords without invalidating all active logins On the other hand, using only a meaningless session id:
reveals no useful information in the cookies no opportunity to crack or brute force anything of value server holds the ultimate power since sessions can be revoked at any time it's simpler (simpler is always good in security) using a full session with server-side state allows you to escalate privileges; eg require the user to have actively logged in with his password within the last x minutes from the current IP to allow him to change his password or email address → provides security even if the session cookie should be hijacked In short: session ids present no attack surface at all, since they're inherently meaningless. Userids, names and passwords present a very juicy target. Just from those basic points sessions should seem a lot more appealing. Assuming a perfect implementation with otherwise perfect security, both should be rather secure. However, you do not know what insecurities you have, you won't have perfect security. Assuming this, knowing this, the simpler system with fewer caveats should always be preferable.
链接地址:
http://www.djcxy.com/p/23668.html
上一篇:
Android性能改进
下一篇:
PHP安全会话和cookie