使用 Rails 存储加密的 cookie
我需要在 Rails 的 cookie 中存储一小段数据(少于 10 个字符),并且我需要它是安全的。我不希望任何人能够读取该数据或注入自己的数据(因为这将使应用程序面临多种攻击)。我认为加密 cookie 的内容是可行的方法(我也应该签名吗?)。最好的方法是什么?
现在我正在这样做,这看起来很安全,但是对于那些比我更了解安全的人来说,很多事情看起来很安全,然后发现它并不真正安全。
我以这种方式保存秘密:
encryptor = ActiveSupport::MessageEncryptor.new(Example::Application.config.secret_token)
cookies[:secret] = {
:value => encryptor.encrypt(secret),
:domain => "example.com",
:secure => !(Rails.env.test? || Rails.env.development?)
}
然后我像这样阅读它:
encryptor = ActiveSupport::MessageEncryptor.new(Example::Application.config.secret_token)
secret = encryptor.decrypt(cookies[:secret])
这安全吗?还有更好的方法吗?
更新:我了解 Rails 的会话及其安全性,通过签署 cookie 和选择性地存储会话服务器端的内容,并且我确实将会话用于其用途。但我的问题是关于存储 cookie,这是我在会话中不想要的一条信息,但我仍然需要它的安全。
I need to store a small piece of data (less than 10 characters) in a cookie in Rails and I need it to be secure. I don't want anybody being able to read that piece of data or injecting their own piece of data (as that would open up the app to many kinds of attacks). I think encrypting the contents of the cookie is the way to go (should I also sign it?). What is the best way to do it?
Right now I'm doing this, which looks secure, but many things looked secure to people that knew much more than I about security and then it was discovered it wasn't really secure.
I'm saving the secret in this way:
encryptor = ActiveSupport::MessageEncryptor.new(Example::Application.config.secret_token)
cookies[:secret] = {
:value => encryptor.encrypt(secret),
:domain => "example.com",
:secure => !(Rails.env.test? || Rails.env.development?)
}
and then I'm reading it like this:
encryptor = ActiveSupport::MessageEncryptor.new(Example::Application.config.secret_token)
secret = encryptor.decrypt(cookies[:secret])
Is that secure? Any better ways of doing it?
Update: I know about Rails' session and how it is secure, both by signing the cookie and by optionally storing the contents of the session server side and I do use the session for what it is for. But my question here is about storing a cookie, a piece of information I do not want in the session but I still need it to be secure.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
设置安全 cookie
访问 cookie
使用 ActionController::Base 进行签名.cookie_verifier_secret。您可以在初始化程序文件中设置
cookie_verifier_secret。Setting a secure cookie
Accessing the cookie
The cookie is signed using ActionController::Base.cookie_verifier_secret. You can set the
cookie_verifier_secretin the initializer file.正如 KandadaBoggu 所说,看起来你想要的是一个会话变量,而会话变量默认是加密的并存储在 cookie 中。但是,如果您查看 config/initializers/session_store.rb 的内容,您会发现类似以下内容:
这对我来说应该使用数据库而不是 cookie-基于默认值,不应该用于存储高度机密的信息。预先准备的迁移使一切都非常容易设置,因此这样做的开销非常小,一旦完成,如果您以后需要添加新的秘密信息,开销基本上为零!
As KandadaBoggu says, it looks like what you want is a session variable, and session variables are by default encrypted and stored in cookies. However, if you have a look at the contents of
config/initializers/session_store.rbyou will find something like the following:Which suggests to me that you should use the database for sessions instead of the cookie-based default, which shouldn't be used to store highly confidential information. The pre-cooked migration makes everything really easy to set up so there's very little overhead in doing so, and once it's done there's basically zero overhead if you need to add a new piece of secret information at a later date!
我重新发布 JacobM 的答案,他删除了它,因为这是正确的答案,并在正确的方向。如果他取消删除,我会删除这个并选择他作为最佳答案。
I'm re-posting JacobM's answer, that he deleted, because it was the correct answer and pointed me in the right direction. If he undeletes it, I'll delete this one and pick his as the best answer.