为什么要使用更多 cookie 而不仅仅是会话哈希来进行身份验证?

发布于 2024-10-09 07:26:55 字数 744 浏览 9 评论 0原文

我通常在使用公告板软件的社区中闲逛。

我正在查看该软件在我的浏览器中保存的 cookie 内容。

如您所见,它保存了 6 个 cookie。其中,我认为对身份验证重要的是:

  1. ngisessionhash:当前会话的哈希
  2. ngipassword:密码的哈希(可能不是普通密码)
  3. ngiuserid:< em>用户的id

这些当然是我的假设。我不确定 ngilastactivityngilastvisit 是否出于相同的原因使用。

我的问题是:为什么使用所有这些 cookie 进行身份验证?我的猜测是,也许生成会话哈希会很容易,因此使用哈希密码和用户 ID 可以增加安全性,但是 cookie 欺骗呢?我基本上把所有基本信息都留给了客户。

你怎么认为?

更新 #1

这些 cookie 的内容就是我认为它们包含的内容。我不确定。 当然,如果调用cookie ngivbpassword并包含散列,我的猜测是hashedpassword。可能是密码+盐。

我主要担心的是这些解决方案在遭受 cookie 欺骗攻击时会提供大量信息。

更新#2 这个问题并不是想批评这些特定软件的工作方式,但是,通过这些答案,我只想了解有关在网络环境中保护软件的更多信息。

I usually hang out in a community that uses a bulletin board software.

I was looking at what this software saves as cookie in my browser.

As you can see it saves 6 cookies. Amongst them, what I consider to be important for authentification are:

  1. ngisessionhash: hash of the current session
  2. ngipassword: hash (not the plain password probably) of the password
  3. ngiuserid: user's id

Those are my assumptions of course. I don't know for sure if ngilastactivity and ngilastvisit are used for the same reason.

My question is: why use all these cookie for authentication? My guess would be that maybe generating a session hash would be to easy so using the hashedpassword and userid adds security but what about cookie spoofing? I'm basically leaving on the client all fundamental informations.

What do you think?

UPDATE #1

The contents of these cookies are what I think they contains. I'm not sure about it.
Of course if call a cookie ngivbpassword and contains an hash, my guess is hashedpassword. Probably it could be password+salt.

My main concern is about these solution giving to much information when under a cookie spoofing attack.

UPDATE #2
This question doesn't want to criticize the way these specific software works but, thorugh these answers I want just to learn more about securing software in a web environment.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

辞旧 2024-10-16 07:26:55

发生这种情况是因为会话 cookie 和登录 cookie 可能具有不同的生命周期。

想象一下每天有数百万用户的网站。该网站不会将您的会话存储一年,只是为了在您下次返回时重新登录。
他们为此使用登录cookie。

这些 cookie 也称为“记住我”cookie。

This happens because session and login cookies may have different lifecycles.

Imagine website with millions of users every day. The website won't store your session for a year just to log you back the next time you get back.
They use login cookies for that.

These cookies are also called Remember-Me cookies.

断舍离 2024-10-16 07:26:55

会话不是持久的。饼干是。

更新#1:我没有使用过 vBullettin,但它看起来像经典的“记住我”功能。

更新#2:

是的,这是一个记住我的功能,我是
询问他们为什么这样做
方式

...你如何实现“记住我”功能?您显然需要使用cookie,我想这很清楚。现在,你存储什么?

最简单的方法是以明文形式存储用户和密码并执行定期身份验证。这是您可以使用的最不安全的机制之一,但有些网站实际上就是这样做的。

第二种不太简单的方法是存储用户和密码的哈希值并执行常规身份验证的修改版本。不像以前的方法那么糟糕,但仍然存在一些问题;例如,没有有效的方法来禁用服务器保存的 cookie 或使其过期。

第三种方法是保留一个包含“记住的”会话的数据库表,用一个长的唯一字符串来标识每个会话,并将该字符串存储在 cookie 中。该字符串可以是随机的或计算的,但当然,随机性的优点是即使您知道算法也无法猜测该字符串。

通过在服务器中存储日期、IP 地址和其他数据可以实现进一步的安全性。

正如我所说,我对 vBulleting 一无所知,但他们似乎正在使用方法 2 或方法 3。

更新#3:

这些cookies的内容是什么
我认为它们包含。我不知道
关于它。当然如果调用cookie
ngivbpassword 并包含一个哈希值,我的
猜测是散列密码。大概是这样
可以是密码+盐。[...]我的主要
关注的是这些解决方案
在以下情况下有太多信息
cookie欺骗攻击。

成功的 cookie 欺骗可以让您完全冒充用户,这样您就可以进入控制面板并享受免费自助餐,从而使 cookie 内容变得无关紧要。

他们是否存储加盐密码或只是一个名称,我不知道。

Sessions are not persistent. Cookies are.

Update #1: I haven't worked with vBullettin but it looks like the classical "Remember me" feature.

Update #2:

Yeah, it's a remember me feature, I'm
asking why they're doing it in that
way

Alright... How do you implement a "Remember me" feature? You obviously need to use cookies, I assume that's clear. Now, what do you store?

The naivest way is to store user and password in clear text and perform regular authentication. It's among the most insecure mechanisms you can use yet some sites actually do it that way.

Second slightly less naive way is to store a hash of the user and password and perform a modified version of the regular authentication. Is not as bad as the previous method but it still suffers from some issues; for instance, there's no effective way to disable or expire a saved cookie from the server.

Third way is to keep a database table with "remembered" sessions, identify each one with a long unique string and store such string in the cookie. The string can be random or calculated but, of course, randomness has the advantage that the string cannot be guessed even if you know the algorithm.

Further security can be accomplishes by storing dates, IP addresses and other piece of data in the server.

As I said, I know nothing about vBulleting but it seems they're using method 2 or method 3.

Update #3:

The contents of these cookies are what
I think they contains. I'm not sure
about it. Of course if call a cookie
ngivbpassword and contains an hash, my
guess is hashedpassword. Probably it
could be password+salt.[...] My main
concern is about these solution giving
to much information when under a
cookie spoofing attack.

A successfully cookie spoofing allows you to fully impersonate the user so you can just enter the control panel and enjoy the free buffet, thus making the cookie content irrelevant.

Whether they store a salted password or it's just a name it's something I don't know.

岛徒 2024-10-16 07:26:55

这里有一个问题,你担心什么?您正在构建某种身份验证系统吗?
我还认为在 cookie 中保存用户 ID 和密码可能是一个安全问题。
用户 ID 是编码的还是整数?

Here is a question, what are your concerns? Are you building some kind of authentication system?
I also think that having the user id and password in cookies can be a security issue.
is user id encoded or an integer?

温柔一刀 2024-10-16 07:26:55
  • Cookie 应该尽可能小,以确保有关您在服务器上的身份的信息。

  • Sessionhash、session_id 或 sid 是您的唯一 ID(您在服务器上的会话)。其余的 cookie 可以轻松隐藏在服务器端。

  • 在 cookie 中保存密码哈希是一个安全问题。您应该避免这种情况。

  • 最后 4 个 Cookie 来自 Google 广告。

附言。无论如何,大多数公告板都不是很好的软件。

  • Cookies should be as-small-as-they-can peace of information about who you are on the server.

  • Sessionhash, session_id or sid is unique ID of you (your session on the server). The rest of cookies can be easily hidden on the server side.

  • Holding password hash in cookies is a security issue. You should avoid that.

  • Last 4 cookies comes from google ads.

PS. Most bulletin boards are not so great software anyway.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文