我注意到很多非常大的网站让你使用HTTPS登录,然后在我登录后立即切换回HTTP(myfitnesspal.com,pluralsight.com)。 如果我使用数据包嗅探器,我可以看到会话ID cookie并验证请求是通过HTTP发送的。 这是不是意味着有人可以轻易劫持我的会话,如果他们正在倾听,或者还有其他我想念的东西? 另外,在类似的说明中,除了服务器上的额外计算之外,我还有什么理由想要通过HTTPS使用HTTP?
I have noticed a lot of very large websites make you log in using HTTPS and then immediately switch back over to HTTP once I am logged in (myfitnesspal.com, pluralsight.com). If I use a packet sniffer I can see the session id cookie and verify that the request is being sent via HTTP. Doesn't this mean that someone could easily hijack my session if they were listening, or is there something else I am missing? Also, on a similar note is there any reason that I would want to use HTTP over HTTPS other than the additional computation on the server?
最满意答案
这取决于会话的处理方式。 服务器可能正在处理两个会话。 一个是安全的,一个是无担保的。
当您登录这些站点时,他们可以设置两个会话cookie,一个用于浏览,一个用于安全访问管理员/帐户管理/结账区域。 第二个cookie将标记为“SECURE”,并且只能通过TLS / SSL连接发送。 在正常浏览等时,仅使用不安全的连接,并且仅在会话中维护状态,但是当您进入帐户管理,结帐等时,您将切换回安全会话以实现这些目的。 如果自上次安全访问以来时间过长,可能会要求您重新进行身份验证。
因此,虽然您的浏览会话可能会被劫持,但不太可能(如果实施得当)您的帐户可能会因此受到损害。
It depends how sessions are being handled. It is possible that two sessions are being handled by the server. One secured and one unsecured.
When you log into these sites they may set two session cookies, one for browsing and one for secure access to admin/account management/checkout areas. The second cookie would be marked as "SECURE" and only be sent over a TLS/SSL connection. When browsing normally, etc only the unsecured connection is used and only to maintain state in the session, but when you go to account management, checkout, etc, then you are switched back to the secure session for those purposes. If it has been too long since your last secure access you may be asked to reauthenticate.
So while it is possible that your browsing session could be hijacked, it is unlikely (if properly implemented) that your account could be compromised as a result.
更多推荐
发布评论