我对 Charles Miller's article, "Persistent Login Cookie Best Practice" 有点困惑因为我不明白代码如何防止有人窃取 cookie 并在另一台计算机上登录。
我看过并阅读了以下主题:
- https://stackoverflow.com/a/244907/3355243
- https://stackoverflow.com/a/30135526/3355243
- https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#title.2
在所有这些中,它解释了如何实现更安全的登录系统,尽管我无法弄清楚它如何防止窃取 cookie、复制粘贴到控制台并使用它登录,即使处理两个不同的字段(系列/选择器和 token )。
document.cookie="theCookieNameFromWebsite=theCookieValueFromVictim";
paragonie.com链接说:
CREATE TABLE `auth_tokens` (
`id` integer(11) not null UNSIGNED AUTO_INCREMENT,
`selector` char(12),
`token` char(64),
`userid` integer(11) not null UNSIGNED,
`expires` datetime,
PRIMARY KEY (`id`)
);
The automatic login algorithm looks something like:
- Separate selector from token.
- Grab the row in auth_tokens for the given selector
- Hash the token provided by the user's cookie with SHA-256
- Compare the SHA-256 hash we generated with the hash stored in the database, using hash_equals()
- If step 4 passes, associate the current session with the appropriate user ID
这怎么能d'hell 阻止我窃取 cookie 并用它登录受害者的帐户?
最佳答案
它不会阻止任何事情。只有使用 TLS(通常称为 HTTPS)加密 HTTP 消息才能确保没有人窃取您用户的 cookie(请注意,HTTPS 必须应用于整个域,不仅仅是登录页面和“ secret ”区域。
至于这个方法是做什么的,引用文章:
- An attacker is only able to use a stolen cookie until the victim next accesses the web site instead of for the full lifetime of the remembered session.
- When the victim next accesses the web site, he will be informed that the theft occurred.
这里的优点是用户会尽快收到盗窃通知,而不是默默地关闭另一个 session ,或者更糟的是,将用户视为攻击者。
关于javascript - PHP持久登录不用担心窃取cookie,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/32667322/