通过客户端的cookie标志来设置用户是否登录了安全吗?常用的加密算法加密后安全吗?
2016-09-06 00:00
507 查看
1、通过在客户端cookie 设置是否登录标志,有可能会有安全隐患,当hack把cookie值修改后,可能就可以登录。
You could use this strategy described here as best practice (2006) or an updated strategy described here (2015):When the user successfully logs in with Remember Me checked, a login cookie is issued in addition to the standard session management cookie.
The login cookie contains a series identifier and a token. The series and token are unguessable random numbers from a suitably large space. Both are stored together in a database table, the token is hashed (sha256 is fine).
When a non-logged-in user visits the site and presents a login cookie, the series identifier is looked up in the database.
If the series identifier is present and the hash of the token matches the hash for that series identifier, the user is considered authenticated. A new token is generated, a new hash for the token is stored over the old record, and a new login cookie is issued to the user (it's okay to re-use the series identifier).
If the series is present but the token does not match, a theft is assumed. The user receives a strongly worded warning and all of the user's remembered sessions are deleted.
If the username and series are not present, the login cookie is ignored.
This approach provides defense-in-depth. If someone manages to leak the database table, it does not give an attacker an open door for impersonating users.
2、常用的加密算法并不安全
可以反向MD5 ,给出MD5或者其它常用加密算法的密文,通过查库,可以获得原文。http://cmd5.com/
相关文章推荐
- 设置cookie和session的登录双重安全加密
- 配置H3C交换机实例(设置安全策略版,通过源IP地址对WEB登录用户进行控制)[连载之电子商务系统架构]
- 07-通过cookie保存并读取用户登录信息(jsp内置对象)
- DCOM服务端及客户端指定用户访问的安全设置
- DCOM服务端及客户端指定用户访问的安全设置
- 使用加密cookie代替session验证用户登录状态
- 认识cookie 一般运用在判断用户是否登录和购物车
- php通过session判断用户是否登录
- 用户登录安全性的简单实例分析(Cookie、加密)
- 仿微信的二维码登录功能:客户端登录后,通过扫描web端页面上的二维码,实现同一用户在web端的登录
- Drupal常用判断,用户是否登录,用户角色,用户权限等
- QuickCSharp框架开发(18)------加密用户名和密码数据与数据库读出的密码进行哈希比较(验证用户是否成功登录)
- 用户登录安全性的简单实例分析(Cookie、加密)
- 浏览器因cookie设置HttpOnly标志引起的安全问题
- 通过Powershell, C#, CMD and VBScript等设置 用户 作为服务登录
- 通过cookie保存并读取用户登录信息实例
- 用户登录安全性的简单实例分析(Cookie、加密)
- 用户登录安全性的简单实例分析(Cookie、加密)
- SVN客户端上切换登录用户设置
- asp.net判断用户是否登录(SetAuthCookie相关问题)