开发者

security for cookies

If I sign-up to a website and the website sends me a cookie with and ID with which it can identify me, can somebody else impersonate me if they get hold o开发者_如何学JAVAf this cookie?

If somebody else knows the format of the cookie and guesses the ID can they impersonate me this way?

Also, any material where these things are discussed is appreciated.


The answer to both questions is a qualified "yes". But, both impersonations can be made very difficult. Things that make it difficult to steal a session Id from a cookie:

  1. Using https. All communications between you and the server are encrypted and very difficult to hack.

  2. If the server is using PHP sessions, the ID in the cookie is lengthy and difficult to guess.

  3. Even without these, to intercept a cookie is difficult since the perpetrator must make his/her computer listen for transmissions to/from your IP address or the server IP.

Best security is long IDs (a la PHP sessions) combined with usage of https.

If you're developing, here's some good info: http://thinkvitamin.com/code/how-to-create-totally-secure-cookies/

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜