如何保护我的用户免受会话劫持?
[英]How can I protect my users from session hijacking?
问题描述
如何保护用户免受会话劫持?
4 个解决方案
解决方案1
3 已采纳 2010-04-15 20:01:03
There are three sections in the Owasp Top 10 for 2010 that you should read. 
2010年Owasp Top 10有三个部分,您应该阅读。
1: ( !! ) A3: "Broken Authentication and Session Management." 1:( !! )A3:“身份验证和会话管理中断”。 ( !! ) ( !! )
2: "Cross Site Request Forgery" (XSRF) 2: “跨站点请求伪造”(XSRF)
3: "Cross Site Scripting" (XSS) 3: “跨站点脚本”(XSS)
解决方案2
1 2010-04-15 19:58:06
From StackOverflow's creators blog 来自StackOverflow的创作者博客
Preventing CSRF and XSRF Attacks 防止CSRF和XSRF攻击
Found by Googling "Prevent csrf" 发现谷歌搜索“预防csrf”
http://www.google.com/search?client=safari&rls=en&q=prevent+csrf&ie=UTF-8&oe=UTF-8 http://www.google.com/search?client=safari&rls=en&q=prevent+csrf&ie=UTF-8&oe=UTF-8
解决方案3
1 2010-04-15 19:59:10
One way that I know of is to check for consistency in the IP address of the user. 我知道的一种方法是检查用户IP地址的一致性。 By this I mean checking that the current IP address match the IP address last used during the same session. 我的意思是检查当前IP地址是否与上次在同一会话期间使用的IP地址匹配。 This would, however, not stop session hijacking from someone using the same IP address. 但是,这不会阻止使用相同IP地址的人员进行会话劫持。
解决方案4
0 2014-02-14 20:01:30
Consider the use of a secret salt known only to the client and server that is established at logon (hopefully an SSL logon). 考虑使用仅在登录时建立的客户端和服务器知道的秘密盐(希望是SSL登录)。 Afterwards the server can provide a count with each response and the client can provide a hash of (count + secret salt) with the next request. 之后,服务器可以为每个响应提供计数,并且客户端可以在下一个请求中提供(计数+秘密盐)的哈希值。 A potential hijacker has no access to the secret salt and cannot generate the next hash. 潜在的劫持者无法访问秘密盐,无法生成下一个哈希值。 Even a non-SSL login can probably establish a secret salt if login is accomplished using one-time-use hashed passwords. 如果使用一次性使用的散列密码完成登录,即使非SSL登录也可能建立秘密盐。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.