在 SSL 加密 Cookie 中保存会话与在客户端证书中保存会话
背景:从桌面应用程序,用户将导航到 SSL 加密的门户网站,如果这是他们第一次登录,则必须输入用户名/密码。我希望能够安全地保留他们的用户会话。我正在考虑使用加密的 cookie,存储他们的用户名和唯一的会话令牌/密钥,但想知道客户端证书在安全性方面提供了哪些好处。
目前我所理解的方式是:
加密cookie:
- 像任何其他cookie一样保存在用户的计算机上
- 由于整个站点都是SSL,因此cookie的内容无法被篡改
- 易于实现
- 当用户登录时再次,使令牌/密钥无效并发出新的
问题:
- 任何尝试使用保存的会话访问计算机上的 Web 门户的人都可以,但这是任何持久会话的问题, 正确的?
- 我如何知道计算机 A 就是计算机 A,而不仅仅是复制了计算机 A cookie 的计算机 B?
客户端证书:
- 安装起来很麻烦
- 将唯一地标识该人的计算机(或者可以限制为用户帐户)到门户网站
- 如果客户端证书被盗,则该帐户将被盗用
问题:为了以最高的安全性持久保存用户会话,加密的 cookie 是否足够,或者我是否需要安装客户端证书?它们有何不同?
Background: From a desktop application, users will navigate to an SSL-encrypted web portal where they will have to enter a username / password if it's their first time logging in. I want to be able to securely persist their user session. I was thinking of using encrypted cookies, storing their username and a unique session token / key, but was wondering what benefits client certificates offered in terms of security.
The way I see understand it currently:
Encrypted cookies:
- Saved on the user's machine just like any other cookie
- Since the entire site is SSL, the contents of the cookie cannot be tampered with
- Easily implementable
- When a user logs in again, invalidate the token / key and issue a new one
Problems:
- Anyone attempting to access the web portal on the computer with a saved session will be able to, but this is a problem with any persisted session, right?
- How do I know that computer A is computer A and not just computer B that copied computer A's cookie?
Client Certificates:
- A pain in the ass to install
- Will uniquely identify that person's computer (or can it be restricted to the user account) to the web portal
- If the client certificate is stolen, then the account is compromised
Question: For persisting user sessions with the utmost security, would encrypted cookies be sufficient or would I need to install client certificates? How do they differ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
2-face-authentication(客户端证书)并不意味着持久会话。每次用户访问该页面时,都会使用客户端证书对站点进行身份验证。根据客户端策略(或 AD),用户可能会输入 PIN 才能提交证书或从安装到证书存储的证书列表中进行选择。
2-face-authentication (client certificates) does not mean a persisted sessions. Each time the user visits the page the client certificate is used to authenticate against the site. Depending on the client policies (or AD) the user might enter a PIN to be able to submit the certificate or choose from a list of certificates installed to the certificate store.