How to store Session ID securely

我们两清 提交于 2021-02-02 09:06:29

问题


I am a student learning about cryptography. After searching online, I am still unable to find an answer to my question. I am wondering how to store a session ID securely for an ecommerce website. If it is possible, how so? Please do explain it in Layman's term. Looking forward to your helpful answers.

Cheers


回答1:


Session IDs are usually just a random (opaque) identifier that is passed between the client and the server. The server uses the identifier to look up state information (e.g. current cart content) in the database.

As a practical matter, you have to trust that the client will protect the session id, as once you send it to them, it becomes a static token -- no amount of cryptography can fix the fact that anyone can present a session id and then pretend to be the user.

There are some things that you can do to mitigate issues:

  1. ensure you are using a "secure enough" random generator to build the token

  2. make sure the transmission of the token is as secure as possible against eavesdropping or client-side theft (e.g. use SSL, httponly and secure cookie flags)

  3. Give the token a reasonable timeout, and require the user to request a new token periodically using e.g. a refresh token or re-login.

A lot of thought has gone in to how this can work practically - have a look at the OAuth2 / OpenID Connect protocols.



来源:https://stackoverflow.com/questions/44982945/how-to-store-session-id-securely

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!