Can session value be hacked?

后端 未结 7 1523
青春惊慌失措
青春惊慌失措 2020-12-05 19:05

When I came out of a site without logging out, next time i browse that site I found I am logged in there? How that server restore the session value for my browser? Is there

相关标签:
7条回答
  • 2020-12-05 19:19

    you would have to sniff his traffic and stole his cookies. Then if he doesn´t log out, (so the server do not invalid the cookies), you could log in with them

    0 讨论(0)
  • 2020-12-05 19:20

    It uses cookies, a text-string your browser keeps on behalf of the site, either for a set time-limit, or till you close your browser.

    Log out if it's a concern. Obviously, if someone else uses the same computer shortly after you they'd be able to use the site logged in as you. Always explicitly log out from public accessible computers.

    0 讨论(0)
  • 2020-12-05 19:23

    In all technologies I'm aware of web-based session values are stored on the remote server. So, to hack your session values would require hacking the remote-server. What you are encountering is the fact that your session identifier is stored in a cookie (a session cookie), so that when you re-open your browser the cookie is being used to identify you and provide access to your remote session. Normally session cookies have a short TTL (time to live) before they expire and log you out, but if not then explicitly logging out should clear it. If you are really worried you can delete your cookies.

    0 讨论(0)
  • 2020-12-05 19:25

    The cookie usually is a session id that connects to a session database on the website's server; however, there are some cookies where most details are in local storage and are normally accessed through JavaScript or an identification key on the server. Most cookies can't be hacked, because you would need to decrypt the cookie by using a key which is normally on the server and then get remote access to the session database.

    0 讨论(0)
  • 2020-12-05 19:26

    As others have noted this is the cookie on your machine.

    The way to "hack" it would be to gain access to your machine and then take a copy of the cookie. Or take a copy of the cookie while it is being sent to the browser.

    To guard against this you could:

    • Send the cookie to the client over https.
    • Do not store the cookie on disk (a cookie without a timeout will be stored in memory)

    Locking a session to a single ip address, can cause problems, if your users are coming from a network with 2 proxy servers.

    0 讨论(0)
  • 2020-12-05 19:34

    Depending on whether the server checks the IP address trying to use the token (probably a cookie, but doesn't have to be) against the one that logged in, it might be possible for a thief to use that cookie to gain access to your account.

    A well-designed site will not only cause sessions to time-out but also restrict them to a single IP address (and browser user-agent, etc).

    0 讨论(0)
提交回复
热议问题