POST 和 Cookie 一样安全吗?
[英]Is POST as secure as a Cookie?
问题描述
While implementing a flash-based uploader , we were faced with an issue: Flash doesn't provide the correct cookies .
在实现基于闪存的上传器时,我们遇到了一个问题: Flash 没有提供正确的 cookies 。 We need our PHP Session ID to be passed via a POST variable.我们需要通过 POST 变量传递我们的 PHP Session ID。
We have come up with and implemented a functional solution, checking for a POST PHPSESSID.我们提出并实施了一个功能性解决方案,检查 POST PHPSESSID。
Is POSTing the Session ID as secure as sending it in a cookie?发布 Session ID 是否与在 cookie 中发送一样安全?
Possible reason for: Because both are in the http header, and equally possible for a client to forge.可能的原因:因为两者都在 http header 中,并且同样可能由客户伪造。 Possible reason against: Because it's easier to forge a POST variable than a Cookie.反对的可能原因:因为伪造 POST 变量比伪造 Cookie 更容易。
6 个解决方案
解决方案1
5 已采纳 2009-02-26 01:56:07
It is as secure — forging the POST is equally as easy as the cookie.它和 cookie 一样安全——伪造 POST 和 cookie 一样容易。 These are both done by simply setting flags in cURL.这些都是通过简单地在 cURL 中设置标志来完成的。
That being said, I think you've got a good solution as well.话虽如此,我认为您也有一个很好的解决方案。
解决方案2
2 2009-02-26 01:57:47
If you are able to obtain the session ID from active content in order to POST it, this presumably means that your session cookie is not marked HttpOnly , which one of our hosts claims is otherwise a good idea for defending against cross-site scripting attacks .如果您能够从活动内容中获取 session ID 以便发布它,这可能意味着您的 session cookie 未标记HttpOnly ,我们的一位主机声称这是防御跨站点脚本攻击的好主意。
Consider instead a JavaScript-based or even refresh-based uploader monitor, which should integrate well enough with everything else that the cookie can be HttpOnly.相反,考虑一个基于 JavaScript 甚至基于刷新的上传器监视器,它应该与其他所有东西很好地集成,cookie 可以是 HttpOnly。
On the other hand, if your site does not accept third-party content, cross-site scripting attacks may not be of any concern;另一方面,如果您的站点不接受第三方内容,跨站点脚本攻击可能不会有任何问题; in that case, the POST is fine.在这种情况下,POST 很好。
解决方案3
2 2009-02-26 01:59:50
I think sending it via GET would also work fine, since you fake anything in a HTTP request (using curl or even flash).我认为通过 GET 发送它也可以正常工作,因为你在 HTTP 请求中伪造任何东西(使用 curl 甚至闪存)。 The important thing is what is encrypted in you cookie/post/get parameter and how is it encrypted and checked on the server side.重要的是在你的 cookie/post/get 参数中加密了什么,以及它是如何在服务器端加密和检查的。
解决方案4
1 2009-02-26 02:19:05
Really if you are worried about which one is easier to forge, you're worrying about the wrong thing.真的,如果您担心哪个更容易伪造,那么您担心的是错误的事情。 Simply put, either will be trivial to an experienced attacker.简而言之,对于有经验的攻击者来说,两者都是微不足道的。 You might keep out the "script kiddies" by choosing one over the other, but those people arern't the ones you need to be worried about.您可能会通过选择一个而不是另一个来避开“脚本小子”,但这些人并不是您需要担心的人。 The question you should ask yourself is "what defenses do you have against someone forging an id?"您应该问自己的问题是“您对伪造身份的人有什么防御措施?” It will happen.它会发生。 If your id is unencrypted, and easy to guess, that's a problem.如果您的 id 未加密且容易猜到,那就有问题了。 It will get hacked.它会被黑客入侵。 Since you are asking which is more secure, I would say that you are concerned.既然你问哪个更安全,我会说你很担心。
Here's another thing to consider, since your application is flash, it's susceptable to modification (just like javascript HTML code), because the compiled code is on the attackers machine.还有一点需要考虑,因为你的应用程序是 flash,它很容易被修改(就像 javascript HTML 代码一样),因为编译的代码在攻击者机器上。 They can look through the binary and figure out how the code works, and what it needs to retrieve from the server.他们可以查看二进制文件并弄清楚代码是如何工作的,以及它需要从服务器检索什么。
解决方案5
0 2009-02-26 02:03:45
POST data is not an HTTP header, but it is sent as part of the TCP stream which makes it just as easy to read/forge as an HTTP header. POST data is not an HTTP header, but it is sent as part of the TCP stream which makes it just as easy to read/forge as an HTTP header. If you intercepted an HTTP request it would look something like this:如果你截获了一个 HTTP 请求,它看起来像这样:
POST /path/to/script HTTP/1.1
Host: yourdomain.com
User-Agent: Mozilla/99.9 (blahblahblah)
Cookie: __utma=whateverthisisacookievalue;phpsessid=somePHPsessionID
data=thisisthepostdata&otherdata=moredummydata&etc=blah
So as others have said, POST and cookies (and GET data, ie query strings) are all easy to spoof, since they're all just text in the same HTTP packet.正如其他人所说,POST 和 cookies(以及 GET 数据,即查询字符串)都很容易被欺骗,因为它们都只是同一个 HTTP 数据包中的文本。
解决方案6
0 2009-02-26 04:19:46
I just want to reiterate that both Cookie and Post are equally insecure.我只想重申 Cookie 和 Post 都同样不安全。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.