PHP secure session and cookies

2019-06-14 16:12发布

问题:

I don't understand why we have to secure the cookies and session, I have a cookie that store userid, username encrypted password.

I have a function that checks the cookies at any moment if is the information matches with DataBase information, if not, redirect to login page. however I don't understand the risk with that can view this information and what he can do with this information.

Can anyone explain to me what is risk ?

回答1:

It's hard to quantify in exact terms. First, remember that cookies are transferred between the client and the server in every single request. That's potentially many opportunities for someone to intercept them. Just assume that cookies will be intercepted at some point by somebody.

Storing the username, userid and (encrypted) password in the cookie:

  • leaks information which may or may not be useful or usable for nefarious purposes; i.e. for a successful login you need a username and a password, and you are waving both high up in the air shouting CAPTURE ME, the username even in plaintext
  • relies solely on the secrecy of your encryption algorithm for the password; if it becomes known, you have quite a security problem
    • since the encrypted password is known, an offline brute force attack can be mounted against it to reveal the encryption algorithm and plaintext password; this attack may or may not be purely theoretical, the fact that it exists at all should bother you
    • if it is possible at all to decrypt the password, you have already lost; the password is a secret only the user alone should know, not even you want to know at any point what the password is; if you do know the password, you have a giant responsibility to safeguard it, certainly you do not want to send it back and forth over HTTP the whole time; → see password hashing
  • gives you no control over anything, all login information rests with the client (i.e. what do you do if you know any of the above was compromised?)
  • does not let you change passwords without invalidating all active logins

On the other hand, using only a meaningless session id:

  • reveals no useful information in the cookies
  • no opportunity to crack or brute force anything of value
  • server holds the ultimate power since sessions can be revoked at any time
  • it's simpler (simpler is always good in security)
  • using a full session with server-side state allows you to escalate privileges; e.g. require the user to have actively logged in with his password within the last x minutes from the current IP to allow him to change his password or email address → provides security even if the session cookie should be hijacked

In short: session ids present no attack surface at all, since they're inherently meaningless. Userids, names and passwords present a very juicy target. Just from those basic points sessions should seem a lot more appealing. Assuming a perfect implementation with otherwise perfect security, both should be rather secure. However, you do not know what insecurities you have, you won't have perfect security. Assuming this, knowing this, the simpler system with fewer caveats should always be preferable.