当我将 cookie 会话从 HTTPS 传输到 HTTP 时出现安全问题
在我的网站上,我有几个 HTTPS 页面和一些 HTTP 页面。当用户通过 HTTPS 登录时,会存储包含电子邮件地址等的 cookie。当用户单击我网站的 HTTP 页面时,自创建 cookie 起,cookie 就会丢失在HTTPS下。因此,为了解决这个问题,我在我的 HTTP 页面中添加了这个 PHP 代码:
session_start();
$currentSessionID = session_id();
我假设这会获取为 HTTPS 页面存储的 cookie,并将其通过 HTTP 能看到吗?这是否存在任何可能的安全缺陷?我不确定 cookie 是否确实通过 HTTP 传输,或者只是提取浏览器已存储在临时互联网文件中的内容?
On my website, I have several HTTPS pages and some HTTP pages. When a user logs in through HTTPS a cookie is stored containing email address etc. When a user clicks on a HTTP page of my website the cookie is lost since the cookie was created under HTTPS. So to solve that problem I added this PHP code in my HTTP pages:
session_start();
$currentSessionID = session_id();
I assume this takes the cookie that was stored for HTTPS pages and pulls it through so HTTP can see it? Is this a security flaw in any possible way? I am not sure if the cookie is actually being transferred over HTTP or if it is just pulling what the browser already stored in temp internet files?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
是的,如果您在 HTTP 连接上设置了识别 cookie,它们可能会被劫持,并且它们识别的帐户可能会受到损害。
通过 HTTP 发送会话 cookie(这实际上是很常见的事情),这使得 Firesheep 能够工作。基本攻击是:
好消息是,同一网络窃听攻击在大多数情况下并不是特别实用的攻击。 Firesheep 起作用的唯一原因是因为全世界每个人都有 Facebook/Twitter/任何帐户,这意味着当您连接到星巴克的开放 wifi 时,就会有帐户被劫持。
你能做什么?
如果您不知道该怎么做,您可以相信,窃听并不是一种特别实用的攻击,并且如果您的网站非常受欢迎,那么对劫持您的网站的支持可能只会在 Firesheep 中实现;-)
解决具体问题更直接地回答你的问题:如果你的 HTTP 页面可以识别用户,那么该用户的帐户可能会被劫持,因为服务器唯一需要处理的就是用户的 cookie。
Yes, if you ever set identifying cookies on an HTTP connection they can be hijacked and the account they identify can be compromised.
Sending session cookies over HTTP (which is actually a pretty common thing to do), is what allows Firesheep to work. The basic attack is:
The good news is that, the on-the-same-network-eavesdropping-attack is not a particularly practical attack for the most part. The only reason Firesheep works is because everybody in the entire world has a Facebook/Twitter/whatever account which means that when you connect to open wifi in a Starbucks there will be accounts to hijack.
What can you do?
If you don't what to do that you can rely on the fact that eavesdropping isn't a particularly practical attack and support for hijacking your site will probably only be implemented in Firesheep if your site is really popular ;-)
To address the specifics of your question a little more directly: If your HTTP pages can identify a user, then that user's account can be hijacked, since the only thing the server has to go on is the user's cookies.
您尝试做的事情非常不安全,并且明显违反了 OWASP A9。任何时候都不能通过 HTTP 公开已验证或将要验证的会话 ID。
What you are trying to do is very insecure and a clear violation of OWASP A9. At no point can a session id that is authenticated or will become authenticated be exposed over HTTP.