开发者

HTTP Cookies: Any way to make sure it wasn't copied?

Is there any way that a website can read 开发者_JS百科a cookie in a way that the cookie is locked to that particular computer and that it wasn't somehow copied to another computer?


Assuming you don't trust the end point — no.

If you don't trust the user, then you can't be sure.

If you don't trust the computer (e.g. it might have malware installed), then you can't be sure.

If you don't trust the connection (i.e. it isn't secured with SSL), then you can't be sure.

You be sure by linking the cookie to an IP address, since:

  • Multiple computers can share an IP (e.g. via NAT)
  • One computer can cycle through multiple IPs (e.g. some large ISPs use a bank of proxy servers)

You could include a bunch of data gathered from the browser (e.g. the user agent string) as a hashed value in the cookie, but that would break if something changed the data you were checking against or the cookie was copied to another machine with identical data (while user agent strings can vary a lot, two computers can be configured identically, and there are plenty of circumstances where they are likely to be (e.g. in a company with a standard desktop install that includes standard versions of browsers and plugins).


The only thing you can do is to try to put as much data as possible in the cookie (browser user-agent,os, screen resolution,...). you have to scramble/encrypt the data. if you read the cookie again sometime you can check if the values still match. but of course this is no 100% safe solution since all these data can be faked by a malicious user (if he knows what exactly he needs to change)

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜