[英]Servlet session cookie tampering and security
On the server side, after a successful logon, I execute : 在服务器端,成功登录后,我执行:
HttpServletRequest request = this.getThreadLocalRequest();
HttpSession session = request.getSession();
session.setAttribute("user", subject.getUser().getId());
session.setAttribute("logged", true);
I then assume that the user is logged in. When the user navigates to a secure page in order to save or delete a record from my database, I run this code. 然后,我假定用户已登录。当用户导航到安全页面以保存或删除数据库中的记录时,我将运行此代码。
HttpServletRequest request = this.getThreadLocalRequest();
HttpSession session = request.getSession();
if (session.getAttribute("user")!=null && session.getAttribute("logged"))
{
//delete a record using the authority of the user.
}
My concern is that a client can tamper its browser cookie with a different user id. 我担心的是,客户端可以使用其他用户ID篡改其浏览器cookie。 The database request would be initiated with a different user, skipping the login process.
数据库请求将由其他用户启动,从而跳过登录过程。
Can java session identify tampering, or should I digitally sign the session by including this line Java会话可以识别篡改,还是应该通过添加以下行来对会话进行数字签名
session.setAttribute("signature", hash(secretkey + subject.getUser().getId());
then verify that the signature is valid before changing the database. 然后在更改数据库之前验证签名是否有效。
if (session.getAttribute("signature").equals(hash(secretkey + session.getAttribute("user"))
{
//delete a record using the authority of the user.
}
Have you examined your cookies? 您检查过Cookie吗? Are you actually keeping the user-id in a cookie, and if yes, what for?
您实际上是将用户ID保留在cookie中吗? The server side session object can't be accessed from the client side, that would be a huge security problem.
无法从客户端访问服务器端会话对象,这将是一个巨大的安全问题。
If your code is correct, there's no reason or advantage in using a hash. 如果您的代码正确,则使用哈希没有任何理由或优势。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.