write the login status information in cookie. How can you avoid this situation if you fake the cookie and send the request after being caught by the user? bold text
write the login status information in cookie. How can you avoid this situation if you fake the cookie and send the request after being caught by the user? bold text
the most important thing is to prevent being caught, others can only increase the difficulty of being forged, and can not completely avoid being "forged".
after all, whether it is cookie, session, or token, the client must have a login credential, and the backend can only recognize this credential. If the credentials are taken away by others, there is nothing the backend can do.
of course, you can combine multiple authentication methods to make it more difficult to forge.
for example: the meaning of the fields in
cookie should not be easily understood. Put a few more confusion, some are request parameters, some are authentication;
not only judge the cookie, but also judge whether the client is the same or ip is the same;
not only cookie,localStorge and sessionStorage also put some authentication fields.
.
in addition, talk about several invalid methods:
this is useless. When you refresh it, you don't exchange the old one for the new one. If the forger has the old one, of course you can get the new one.
of course, it may make forgery more difficult.
if the backend wants to authenticate its identity, it must need an algorithm that can be decrypted. If md5 is used as an one-way encryption, there is no way for the backend to authenticate the user's identity. The encrypted string used by the front end must be decrypted by the back end.
if you use an algorithm that can be decrypted, but because the front-end code can be seen by others, the encryption method can also see that there is no point in using the existing encryption algorithm, and it is difficult to use an encryption algorithm that can only be decrypted by yourself.
for security: please constantly reset session; set the expiration time shorter; monitor the values of referrer and userAgent; use HttpOnly to prevent scripts from reading Cookie. These measures are not foolproof, but they make it more difficult for hackers, so they are also effective.
https://blog.fundebug.com/201.
encrypt it first when you send it. If you use md5 or sha1 encryption algorithm, it is impossible (or too expensive) to push back token without knowing key.
if you say, can't I just get this token and forge it? it's true, so it's basically safe to add session, that is, to store a session_id, in cookie and then the server verifies session_data,session_id + cookie through a secret.
in addition, you can generate a signature for the cookie, and the secret that generated the signature is also saved on the server, and then verify whether the current generated signature is the same as the previous signature for each request. For example, if username saves the aaa, client as username=foo_aaa, according to a certain encryption algorithm and the encrypted signature of secret, and then someone tampers with username to bar_aaa, and transmits it to the server and finds that the signature generated by bar is inconsistent with aaa, it proves that cookie has been tampered with.
other words, there are httponly, secure and other configurations, these are settings to prevent third parties from tampering with cookie, while trying to use https, to prevent the middle of the request transmission process from listening.
personal humble opinion, if there are any mistakes, please correct them.
to be honest, it's impossible. Unless your cookie is disposable, I can use it on your cookie when I grab it. You can only use a variety of strategies to guess whether his behavior is risky and unavoidable.
if your network environment can be caught, your network is already very insecure. Then it's time to show the advantages of https.
The horizontal coordinates of echarts are not specifically marked, and the X coordinates do not have a grid to indicate. Here is a figure that specifies . js * * createChartSix() { this.$http .get(this.$api.dataChart) .then(rsp => { ...
sincerely ask for advice: < hr > I want to use node as the background to build a video streaming server. The front end is similar to Youku VOD. It can record the playback node function, and load the progress bar at any point (starting from the c...
I need to implement in a chained promise function, any function error in the middle terminates the program, and can catch the error function, and then perform different operations according to different error functions. How can the following code be imp...
I would like to ask what is wrong with this code. Thank you for your answers. ...
is doing a question on Niuke.com. I encounter a problem: to achieve the function callIt, after the call meets the following conditions 1, the returned result is the result after calling fn 2, and the call parameter of fn is all the parameters after th...
A timing examination system is triggered if the click event is triggered within 5 seconds, and if it is not triggered, the system marks the correct answer at the end of the countdown. How to implement ...
description: a regular match is given to the content of an input box, and the matching content is the product activation code. looks like this: "0C31-0B81-BB32-3094-0C31-0B81-BB32-3094 " Code: $( -sharplicenseCode ).keyup(function () { le...
1. The custom event triggers the click event of .cpcstartrefresh, but triggers 2 click events each time 2. The code is as follows: window.onmessage = function (e) { create an event object, var myEvent = document.createEvent( Event ); m...
I configured the MIME type of the file with the amr suffix in the apache configuration as application ms-download, Why it is a garbled page when opening a file in amr format using window.open in chrome, while a file in amr format can be successfully dow...
I got a set of data, which is to choose the type of question. How can I tell if I have chosen the right one answera: "Olympic Games " answerb: "Asian Games " answerc: "Paralympic Games " answerd: "University Games " id: "1772 " question: "f...
read a number, such as 521 change this number to 0521 but put it into four div separately, how to realize it? 0 < div > 5 < div > 2 < div > 1 < div > ...
react projects cannot save store? using redux, data index.js ReactDOM.render( <Provider store={store}> <Router > < Provider>, document.getElementById( root )) registerServiceWorker() actions export const SET_USER = ...
how to find all the NA characters in a HMLT page and replace it with "and invalid " with native JS ...
...
suppose there are only a.js and b.js (only two js and nothing else) b.js export A variable is used for a.js can you directly use import and export without using packaging and compilation tools such as webpack or babel can it be achieved with the h...
do the gods have plug-ins for uploading attachments in the mobile version that can also be uploaded more than one? ...
what does the code circled in the following picture mean? ...
I look at a html ui project with items such as: var apiserver = window[ apiserver ]; url = apiserver + "filterUrlController getUrlData"; I searched the whole project and couldn t find the value of window [ apiserver ]. How do you un...
In the vue-cli project, I directly introduced the particls library into index.html, and the related files are placed in the static directory . <div id="particles-js">< div> <script type="text javascript" src="s...
How does the code return only the result after the last asynchronous operation in the for loop is completed as shown in the figure? Please stop by and give me a hand. ...