快速会话:我不明白为什么它可以是安全的
[英]express-session: i don't understand why it can be secure
问题描述
ok i saw this example and like the cookie is encrypted.
好的,我看到了这个例子,就像 cookie 是加密的。
var app = express()
app.set('trust proxy', 1) // trust first proxy
app.use(session({
secret: 'keyboard cat',
resave: false,
saveUninitialized: true,
cookie: { secure: true }
}))
This is my question, let's say A and B sit next to each other, B copies A's request which includes the session info (encrypted cookie) and put in his request.这是我的问题,假设 A 和 B 坐在一起,B 复制 A 的请求,其中包括会话信息(加密的 cookie)并放入他的请求中。 Yes B cannot decrypt the cookie, but so what ?是的 B 无法解密 cookie,但那又怎样? From server side, it checks the session info, it's using the same secret for A and B. So the request went through.从服务器端,它检查会话信息,它对 A 和 B 使用相同的秘密。所以请求通过了。
So how's this session be more useful than cookie from security point of view ?那么从安全的角度来看,这个会话如何比 cookie 更有用呢?
1 个解决方案
解决方案1
1 已采纳 2021-06-20 05:42:47
express-session: i don't understand why it can be secure
If you run with https and your physical computer is secure from outsiders, then your express session cookie is protected from outsiders when stored locally and is protected (by https) when in transport to the server.如果您使用 https 运行并且您的物理计算机不受外界影响,那么您的快速会话 cookie 在本地存储时不受外界影响,并在传输到服务器时受到保护(受 https)。
So, as long as the session cookie is protected from being stolen, then access to the express-session data stored on the server will be available only to a computer who has that session cookie.因此,只要保护会话 cookie 不被窃取,那么只有拥有该会话 cookie 的计算机才能访问存储在服务器上的快速会话数据。
This is similarly true of regular cookies too (who also need https to be secure), but the difference with a session cookie is that it doesn't contain any actual data.常规 cookie 也是如此(它们也需要 https 来保证安全),但与会话 cookie 的区别在于它不包含任何实际数据。 It contains only an encrypted ID that is used by the server to identify which session object corresponds with that user.它只包含一个加密的 ID,服务器使用该 ID 来标识与该用户对应的会话对象。 Session data is then only available on the server itself which further insulates it from some types of attacks.然后,会话数据仅在服务器本身上可用,这进一步使其免受某些类型的攻击。
This is my question, let's say A and B sit next to each other, B copies A's request which includes the session info (encrypted cookie) and put in his request.
If B can see A's cookies because A is not using https and B has access to A's network, then nothing is secure.如果 B 可以看到 A 的 cookie,因为 A 没有使用 https 并且 B 可以访问 A 的网络,那么没有什么是安全的。 You need to use https for either plain cookies or session cookies to have any decent level of security.您需要对普通 cookie 或会话 cookie 使用 https 以获得任何体面的安全级别。 In fact, even when A logs in would likely be insecure if B can watch the whole transaction on the network.事实上,如果 B 可以查看网络上的整个交易,即使 A 登录也可能是不安全的。
So how's this session be more useful than cookie from security point of view ?
Neither is secure if your running them over http.如果您通过 http 运行它们,两者都不安全。 Both can be secure if you're running them on https.如果您在 https 上运行它们,两者都是安全的。 But, a session has all sorts of features that storing actual session state in a plain cookie does not such as the ability to maintain a session across multiple devices (when session storage is made persistent and be reattached to any login from a user from any device), to provide session storage of larger and richer state (way beyond what can be stored in a plain cookie), etc... Server-side sessions are just more flexible and more powerful - which is one reason why they are popular.但是,会话具有在普通 cookie 中存储实际会话状态的各种功能,例如在多个设备上维护会话的能力(当会话存储持久化并重新附加到来自任何设备的用户的任何登录时),提供更大和更丰富状态的会话存储(远远超出可以存储在普通 cookie 中的内容)等......服务器端会话只是更灵活和更强大 - 这就是它们受欢迎的原因之一。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.