堆栈内存溢出
  简体   繁体   English

Django - sessionid cookie - 这是安全故障吗?

[英]Django - sessionid cookie - Is this a security failure?

 原文  2015-01-21 16:15:22       python/ django/ cookies/ django-csrf

问题描述

In order to see this possible error you need to open two browsers and some plug-in to get/set cookies. 为了看到这个可能的错误,您需要打开两个浏览器和一些插件来获取/设置cookie。

If you create a new project in django 1.7 and access to the admin site ( /admin ), and login succesfuly in the first broser and get the sessionid and csrftoken cookies and set them into the second browser login page and set a random user and password, you obtain a CSRF error and if you go back in the browser you are logged in. 如果你在django 1.7中创建一个新项目并访问管理站点( /admin ),并在第一个broser中成功登录并获取sessionidcsrftoken cookie并将它们设置到第二个浏览器登录页面并设置一个随机用户和密码,您获得CSRF错误,如果您返回浏览器,则表示您已登录。

how can avoid this? 怎么能避免这个?

1 个解决方案

解决方案1
 10  2015-01-21 16:38:23

I suppose, you can obtain same result just by copying sessionid cookie to another browser and navigating /admin . 我想,你可以通过将sessionid cookie复制到另一个浏览器并导航/admin来获得相同的结果。 You don't need csrftoken to reproduce this issue. 您不需要csrftoken来重现此问题。 It's called sessionid stealing and all frameworks I know are vulnerable to this type of attack. 它被称为sessionid窃取,我知道所有框架都容易受到此类攻击。

To avoid it, set SESSION_COOKIE_SECURE = True (default False) to protect your sessionid cookie from man-in-the-middle attacks. 要避免它,请设置SESSION_COOKIE_SECURE = True(默认为False)以保护您的sessionid cookie免受中间人攻击。 You will also need to install ssl certificate on your production server. 您还需要在生产服务器上安装ssl证书。 Then configure it to redirect all http:// requests to https:// . 然后将其配置为将所有http://请求重定向到https:// S in https stands for secure , this means all traffic between client and server is encrypted, and no one between client and server (client's ISP, server's hosting provider, proxies, etc) can read any data is sent. https中的S代表安全 ,这意味着客户端和服务器之间的所有流量都是加密的,客户端和服务器之间没有任何人(客户端的ISP,服务器的托管服务提供商,代理等)可以读取任何数据。 Including session cookie value. 包括会话cookie值。

And use SESSION_COOKIE_HTTPONLY = True (default) to protect session cookie from stealing via XSS . 并使用SESSION_COOKIE_HTTPONLY = True(默认值)来保护会话cookie不被XSS窃取。 HTTPONLY means that this cookie will be sent with each http request, but won't be accessible from client's browser via javascript. HTTPONLY意味着此cookie将随每个http请求一起发送,但无法通过javascript从客户端的浏览器访问。 So if some malware javascript managed to run in client browser, it will not have access to session cookie anyways. 因此,如果某些恶意软件javascript设法在客户端浏览器中运行,则无论如何它都无法访问会话cookie。

Good tutorial on configuring secure django server can be found here: https://security.stackexchange.com/a/8970 有关配置安全django服务器的精彩教程,请访问: https//security.stackexchange.com/a/8970

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Django 在 cookie 中没有 sessionid - Django no sessionid in cookie django_language cookie 上的安全失败 - Security Failure on django_language cookie Django:什么时候设置sessionid cookie? [默认情况下是否可用? ] - Django : When is sessionid cookie set ? [ Is it available by default ? ] 如何使 Django sessionId cookie 安全 - How to make Django sessionId cookie as secure 为什么sessionid是Django上的空字符串返回响应Set-Cookie? - Why sessionid is empty string return response Set-Cookie on django? Django Python 如何从另一个 sessionid cookie 中获取数据? - Django Python how to take data from another sessionid cookie? Django:在视图中,我如何获取将成为以下响应的Set-Cookie标头一部分的sessionid? - Django : In a view how do I obtain the sessionid which will be part of the Set-Cookie header of following response? Django 2.2 | 匿名用户打开站点时不会创建名为“sessionid”的 Cookie - Django 2.2 | Cookie with name “sessionid” is not create while anonymous user open site 生成cookie sessionid时的DRF - DRF when generating cookie sessionid 与sessionid的Django(Python)问题 - Django (Python) problem with sessionid
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM