简体繁体 English

什么是保护Cookie的最佳和最简便的方法

[英]What is the best and easiest way to secure cookies

原文 2014-05-17 12:59:48 6 1 java/ security/ cookies

I am searching for a way that help me to secure cookies by encrypting them for example. 我正在寻找一种方法，例如通过对cookie进行加密来帮助我保护cookie。 I searched a lot and I got confused. 我搜了很多东西，感到很困惑。 Thus, I am seeking your help to find an easy way to do that. 因此，我正在寻求您的帮助，以找到一种简便的方法。

Actually my aim is only to show that I can secure my cookies in Java for sensitive data such as password. 实际上，我的目的仅仅是表明我可以用Java保护cookie来保护敏感数据（例如密码）的安全。

1 个解决方案

In a protected connection (SSL), everything is encrypted, cookies too. 在受保护的连接（SSL）中，所有内容均已加密，Cookie也是如此。 Yes you can implement an algorithm to encrypt cookies value, why not... but you have to encrypt/decrypt handly with your own code. 是的，您可以实现一种算法来加密cookie值，为什么不这样做……但是您必须使用自己的代码手动进行加密/解密。

If you don't have a Java development tool, or the last paragraph scared you away from using one that you own, you can use the Java 2 Software Development Kit, which is available for free from Sun's Java Web site . 如果您没有Java开发工具，或者上一段吓到您不使用自己的Java开发工具，则可以使用Java 2软件开发工具包，该工具包可从Sun的Java网站免费获得。

In addition to delivering the cookies over HTTPS (SSL), and encrypting the contents such that they cannot be manipulated via Man in the Middle attacks, there is an additional requirement. 除了通过HTTPS（SSL）传递cookie并对内容进行加密以使它们无法通过“中间人攻击”来操纵外，还存在其他要求。 The cookie must also be marked as 'secure' per RFC2109 as in... 根据RFC2109，cookie还必须标记为“安全”，如...

//snip // SNIP

Set-Cookie:JSESSIONID:893ihewwydkq2764@&@09;Path=/;secure //snip Set-Cookie：JSESSIONID：893ihewwydkq2764 @＆@ 09; Path = /; secure // snip

Marking the cookies this way ensures they cannot be delivered over an unencrypted session such as http. 以这种方式标记cookie可以确保它们无法通过未加密的会话（例如http）传递。

Using these three methods together makes a cookie reasonably 'SECURE' 结合使用这三种方法，可以使Cookie合理地“安全”

Happy coding :) 快乐的编码:)