如何保护我网站的会话 cookie?
会话 cookie 正在迅速成为登录管理的标准方式。但是,如果未加密发送,则很容易劫持某人的会话(ala Firesheep)。
现在,您可以通过让整个网站使用 HTTPS 来解决此问题,但如果有人输入 mysite.com,浏览器将默认使用 http。我们可以通过重定向来解决这个问题:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
但是当我有机会重写 URL 时,我的会话 cookie 不是已经通过不安全的通道发送了吗?
Session cookies are quickly becoming a standard way of doing login management. However, if sent unencrypted, it's pretty easy to hijack someone's session ala Firesheep.
Now, you can solve this by making your entire site use HTTPS, but if someone types in mysite.com the browser defaults to http. We can solve this with a redirect:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
But by the time I get a chance to rewrite the URL, hasn't my session cookie already been sent over an insecure channel?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
使用“安全”选项将您的会话 cookie 标记为仅 HTTPS。
Mark your session cookie as HTTPS-only using the Secure option.