cookies中的HMAC有标准格式吗?
[英]Is there a standard format for HMAC in cookies?
问题描述
Given a cookie x with a value 1 ..
给定一个值为1的cookie x ..
Set-Cookie: x=1
.. a Message Authentication Code (MAC) y is added, in this case with a | .. 添加了消息验证码(MAC) y ,在本例中为| delimiter.分隔符。
Set-Cookie: x=1|y
How should the data, 1 , and the MAC, y , be separated?数据1和 MAC y应该如何分开? Above, a delimiter is used, but this approach fails if the data could contain the delimiter.上面使用了分隔符,但如果数据可能包含分隔符,此方法将失败。 I considered using JSON,我考虑使用 JSON,
{ "data": 1, "mac": "y" }
Which I believe would then have to be URL-encoded?我相信那必须是 URL 编码的?
Set-Cookie: x=%7B%22x%22%3A1%2C%22mac%22%3A%22y%22%7D
Is there a standard for the format of cookie values that contain MACs?包含 MAC 的 cookie 值的格式是否有标准?
The calculation of the MAC, y , should be irrelevant to this question. MAC y的计算应该与这个问题无关。 If necessary, please assume y is calculated using OpenSSL HMAC SHA-256 .如有必要,请假设y使用OpenSSL HMAC SHA-256计算。
1 个解决方案
解决方案1
1 2021-02-06 13:40:24
If we start with the HTTP standard for cookies, we see that the syntax doesn't have any special support for message signatures.如果我们从 cookies 的 HTTP 标准开始,我们会看到该语法对消息签名没有任何特殊支持。 What is supported is arbitrary metadata via attributes using the extension-av syntax.支持的是使用extension-av语法通过属性的任意元数据。 So you could do something like:因此,您可以执行以下操作:
Set-Cookie: x=1;myhmac=y
Or, as used in this article , simply x=1;y .或者,如本文中所用,简单地x=1;y 。 In practice this is likely to work fine, but in theory it runs into the issue of collision with other metadata uses (what if the client applies some other meaning to myhmac ?).在实践中,这可能工作得很好,但理论上它会遇到与其他元数据使用冲突的问题(如果客户端将其他含义应用于myhmac怎么办?)。 This is a common problem with any system for extending a standard.这是任何扩展标准的系统的常见问题。
If the HMAC isn't HTTP-level metadata, then it must be stored in the content of the cookie.如果 HMAC 不是 HTTP 级别的元数据,那么它必须存储在 cookie 的内容中。 Your suggestion of using a data structure containing the value and the signature and then encoding it is consistent with the standard:您对使用包含值和签名的数据结构然后对其进行编码的建议与标准一致:
To maximize compatibility with user agents, servers that wish to store arbitrary data in a cookie-value SHOULD encode that data, for example, using Base64.
Base64 is certainly preferable to URL encoding, and since it has a restricted character set you could simply Base64 the value itself, and then be sure that your chosen delimiter (let's say . ) won't collide with the value. Base64 肯定比 URL 编码更可取,并且由于它具有受限字符集,您可以简单地 Base64 值本身,然后确保您选择的分隔符(假设不会与值冲突) . So instead of encoding a JSON object you could simply do:因此,您可以简单地执行以下操作,而不是编码 JSON object:
Set-Cookie: x=Base64(1).Base64(y)
In my experience this is probably the most common approach: using Base64 for the value and signature, separated by a delimiter of your choice.根据我的经验,这可能是最常见的方法:使用 Base64 作为值和签名,由您选择的分隔符分隔。 To pick an example that I'm familiar with, this is how Django handles message signing , including in cookies, using : as a delimiter.举一个我熟悉的例子,这就是 Django 处理消息签名的方式,包括在 cookies 中,使用:作为分隔符。
A more general approach would be to use JSON Web Signatures (part of JSON Web Tokens ), a proposed standard for handling signatures that can be used in headers. A more general approach would be to use JSON Web Signatures (part of JSON Web Tokens ), a proposed standard for handling signatures that can be used in headers. This approach is similar to the last one but includes metadata (like the algorithm used).这种方法与上一种方法类似,但包括元数据(如使用的算法)。 The compact syntax is:紧凑的语法是:
BASE64URL(UTF8(JWS Protected Header)) ||
JWT libraries are probably available in all languages. JWT 库可能以所有语言提供。 Note, though, that the generality and complexity of JWTs poses potential security risks, and many would warn you away .但请注意,JWT 的普遍性和复杂性会带来潜在的安全风险,许多人会警告您远离。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.