如何在不使用 SSL/HTTPS 的情况下保护会话 ID 和 Cookie?
据我了解,如果我不使用 SSL/HTTPS,cookie 和会话 id 将作为纯文本通过网络传输。连接者可以使用数据包嗅探器来获取这些数据。在不使用 SSL/HTTPS 的情况下如何保护它?我猜测解决方案将包括在客户端和服务器端都做一些事情来解决这个问题。我的服务器端是Java。
As for as I understand, if I do not use SSL/HTTPS, cookies and session ids travel as plain text over the wire. An attacher can use packet sniffer to get his hand on these. How can I protect this without using SSL/HTTPS? I am guessing that the solution would consists of doing something both on client side and server side to take care of this. My server side is Java.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您可以使用诸如安全 Cookie 协议 (PDF) 之类的内容来事先加密 Cookie发送他们。您可以使用请求的 IP 地址或 100% 特定于用户的其他标识符来代替会话标识符。
因此,要进行设置,您需要创建一个服务器密钥
k。然后,您可以按如下方式创建 cookie:然后,您可以稍后使用相反的过程对其进行解密。 HMAC 验证它没有在您的服务器外部被篡改(假设
k确实是秘密的)...它包含会话标识符(SSL 是最好的,但 IP 可能可以提供服务)这一事实意味着它不受重放攻击或劫持攻击的影响。
SSL 是最好的,但是您可以通过使用像这样的加密方案来获得一个非常好的系统。最好的办法是将此方案与 SSL 结合起来,这样可以防止各种令人讨厌的行为(包括 MITM 篡改,但不能防止其他 MITM 攻击)...
You can use something like the Secure Cookie Protocol (PDF) to encrypt the cookies prior to sending them. Instead of the session identifier, you could use the requested IP address, or some other identifier that's 100% specific to the user in general.
So, to set it up, you'd create a server key
k. Then, you'd create the cookie as follows:Then, you can decrypt it later by using the reverse process. The HMAC verifies that it was not tampered with outside your server (assuming that
kis really secret)...The fact that it includes a session identifier (SSL is best, but IP can possibly serve) means that it's immune to replay attacks or hijacking attacks.
SSL would be best, but you can get a pretty good system by using an encryption scheme such as this. The absolute best would be combining this scheme with SSL, which then prevents all sorts of nasties (including MITM tampering, but not other MITM attacks)...
简短的回答:不加密意味着未加密的数据。
更长的答案:如果你想加密你的 HTML 内容(我将 cookie 和会话 ID 包含为 HTML 内容),那么你必须加密你的数据。您有两个选择: HTTPS 或 b.推出你自己的计划。选项 b 几乎从来都不是一个好主意。
Short Answer: no encryption means unencrypted data.
Longer Answer: If you want to encrypt your HTML stuff (and I include cookies and session id as HTML stuff), they you must encrypt your data. You have two options: a. HTTPS or b. roll your own scheme. Option b is almost never a good idea.