How to encrypt session id in cookie?

后端 未结 8 1540
春和景丽
春和景丽 2021-02-06 05:43

While I was reading about session hijacking articles, i learned that it would be nice to encrypt session id value that is stored in a cookie.

As far as I know, when I s

相关标签:
8条回答
  • 2021-02-06 06:03

    Encrypting won't help. The session cookie is just a magic number anyway. Encrypting it just means there's a different magic number to hijack. Depending on what hijacking scenarios you have in mind, there are other possible mitigations. For example, you can limit sessions to a single IP. That poses some issues though, e.g. people switching between wireless points.

    0 讨论(0)
  • 2021-02-06 06:05

    It's more important that your session IDs are random (that is, someone can't use their session ID to guess another person's), as the real danger is somebody getting their hands on another user's session ID. As long as you keep them truly random, there's no reason to or utility in encrypting it

    0 讨论(0)
  • 2021-02-06 06:07

    Unfortunately encrypting the session ID is not going to increase security much, as the attacker can just use the encrypted form (which is the only thing visible to them anyways).

    The only thing this might prevent is the trick where you send someone a link with ?PHPSESSID=foo in it, which will cause PHP to create that session. You can prevent that by using encryption and validation, but you should rather turn off session ID transfer in the URL completely.

    0 讨论(0)
  • 2021-02-06 06:14

    It's always a good idea to never depend on solely on one cookie or item to validate your (logged in) user(s). As mentioned above, it's a good idea to also store the IP and check with that. A good addition would be to store the USER_AGENT.

    Bare in mind that if your application is open sourced, you're just as good with a session id alone because the hacker could easily identify what it is you're validating against.

    0 讨论(0)
  • 2021-02-06 06:16

    Assuming your session cookie is a GUID, there is no point encrypting it. It would just replace one pseudo-random string with another.

    0 讨论(0)
  • 2021-02-06 06:16

    It makes sense to encrypt cookie data when you use cookies to store sensitive info. that only the server should read (decrypt).

    There's no reason to encrypt session id, since the hacker can use that encrypted session id to impersonate his victim.

    0 讨论(0)
提交回复
热议问题