将redis-rails用作会话存储是否安全?
[英]Is it secure to use redis-rails as session store?
问题描述
When used as a session store, I noticed that redis-rails saves the session id in unencrypted format in the cookie. 
当用作会话存储时,我注意到redis-rails将会话ID以未加密的格式保存在cookie中。 Shouldn't session id be treated as secure information and not be exposed in a cookie unencrypted to thwart session-hijacking attempts? 不应将会话ID视为安全信息,并且不将其暴露在未经加密的cookie中以阻止会话劫持尝试吗?
1 个解决方案
解决方案1
1 已采纳 2017-09-10 22:36:10
No. 没有。
The session identifier cookie is the only (decent) way to link a client to a session. 会话标识符cookie是将客户端链接到会话的唯一(不错的)方法。 The client must have some sort of claim which they can pass along with the request so that we can identify them. 客户必须具有可以随请求一起传递的某种声明,以便我们可以识别它们。
This applies whether you are using CookieStore, Redis, ActiveRecord or memcached. 无论您使用CookieStore,Redis,ActiveRecord还是memcached,这都适用。
Encrypting the session identifier with a fixed salt or no salt would do absolutely nothing but waste time since the attacker has access to the cookie anyways in a man-in-the-middle or XSS attack. 使用固定盐或不加盐对会话标识符进行加密绝对不会浪费时间,因为攻击者无论如何在中间人攻击或XSS攻击中都可以访问cookie。
If you used a salt you would have to link that to the user as well. 如果您使用了盐,则还必须将其链接到用户。 Now you have two problems instead of one. 现在您有两个问题,而不是一个。
While you could use a bunch of novel approaches like salting with the user agent, ip or anything else that you think you know about the client the security benefits are few. 尽管您可以使用一堆新颖的方法,例如对用户代理,ip或其他您认为对客户端了解的方法加盐,但安全性益处很少。
As @pvg said: 正如@pvg所说:
Session id's merely have to be random, unpredictable and sufficiently large.
Meaningful ways to protect the session are: 保护会话的有意义的方法是:
- Use https to thwart man-in-the-middle attacks. 使用https阻止中间人攻击。
- Call
reset_sessionwhen logging users in and out to avoid session fixation.登录和注销用户时,请调用reset_session以避免会话固定。 - Sanitize user input to avoid XSS. 清理用户输入以避免XSS。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.