如何通过简单地将cookie从机器复制到另一台机器来防止会话劫持？

Question

大多数Web应用程序使用cookie来管理用户的会话,并允许您保持登录状态,即使浏览器已关闭.

让我们假装我们在书中做了所有事情,以确保cookie本身是保存.

• 加密内容
• 仅设置http
• 设置安全
• ssl用于连接
• 我们检查是否有篡改cookie的内容

是否有可能阻止对机器具有物理访问权限的人复制cookie并在另一台机器上重复使用,从而窃取会话？

Answer 1

It doesn't make sense to "protect" against this. If this kind of copying happens, then either:

• The end user did it on purpose because they wanted to change computers. This is, of course, not something you should care about or be concerned about.
• An attacker has already compromised the user's browser and gotten access to the cookies stored inside. By definition this cookie is a secret that proves that the identity of the HTTP client. If the attacker already has access to it, they can already use it in any number of ways of their choosing that you won't be able to prevent or distinguish from the real user accessing the server legitimately.

Answer 2

使用cookie对会话进行身份验证时存在这种风险:cookie是一个不记名令牌,任何可以呈现cookie的人都会通过身份验证.

这就是为什么你会看到进一步的保护,例如:

• 在一定时间或不活动时间后自动注销;
• 设备指纹识别 ;
• 要求对关键操作进行重新认证(例如进行银行转帐或更改密码).