我正在使用play framework2设计一种非常安全的登录机制.由于Play没有会话的概念,因此无法将其保存在Cookie(我喜欢)中,因此我想知道我需要考虑哪些安全措施.显然,我们将使用SSL来传达登录凭据,并且cookie也将被加密为某些用户信息的值,例如他们的电子邮件或用户ID.有人可以嗅探该cookie或从另一个用户的cookie中获取该cookie并重用它吗?我怎样才能使它更安全?
I'm designing a very secure login mechanism using play framework2. Since Play does not have a notion of sessions and keep things in the cookies (which I like) I was wondering what are the security measures I need to think about. We obviously going to use SSL to communicate the login credentials and also the cookie is going to be encrypted value of some of user's information like their email or userid. Is it possible that someone can sniff that cookie or get a hold of it from another user's cookie and reuse it? how can i make this more secure?
推荐答案实际上,cookie未被加密.已签名.该签名来自application.conf中的application.secret.
In fact the cookie isn't encrypted. It is signed. This signature comes from the application.secret in your application.conf.
这意味着任何人都可以看到Cookie的内容(并最终试图欺骗其他会话或更改其登录名/标识/令牌...)
It means that anyone can see the content of the cookie (and eventually try to spoof other sessions or change their login/id/token...)
来自Play文档:
当然,Cookie值是用密钥签名的,因此客户端无法修改Cookie数据(否则它将无效).
Of course, cookie values are signed with a secret key so the client can’t modify the cookie data (or it will be invalidated).
我不是安全专家,但是,如果您将应用程序的秘密保密,它对我来说就足够了.
I am not a security guru, but, if you keep your application secret secret, it seams enough to me.
欢迎讨论签名的强度!
更多推荐
使用Cookie和Java创建非常安全的登录名
发布评论