Play framework security issue regarding cookies and sessions

后端未结

关注

 4  1060

天命终不由人 2021-01-31 00:44

For my app I\'m implementing the same security as shown in the zentask.

public class Secured extends Authenticator {

@Override
public String getUsername(Context


      
      
        
          4条回答        

        
                    
            
            
                         
                
              
              
                
                   轮回少年
                                             
                
                
                (楼主)
            
              
              
                2021-01-31 01:17
              

            
            
                        
Play Framework uses stateless sessions.  There is no state stored on the server side, rather, all the state is stored in the session cookie.  To validate a session, Play signs the sessions using a secret key, and validates the signature when a request with a session cookie arrives.  If a user was to tamper with the session data, for example, if they changed the email address in the session to someone else's email address, then the signature would not match, and so Play would reject the session cookie.

Yes, you can copy the cookie and use it later.  But you can't change the cookie.  This means the only cookie that you can "steal" is your own, but stealing from yourself is not really stealing.  So no, you can't steal sessions, except through exploiting other vulnerabilities such as XSS, but session tokens are vulnerable to this too.

By default, Play is configured to create "session" cookies, ie, cookies that expire when you close the browser.  So if a user quits out of their browser, the browser will delete all the session cookies, and the user will not be logged in anymore.  This is the same for session tokens.

There is one consideration to be aware of, and that is that session tokens also expire on the server because the server holds state.  Stateless signed sessions, such as those used in Play, don't.  However, you can implement an expiration mechanism yourself, by storing a timestamp inside the session when it is created, and verifying that that timestamp is no older than a configured expiration period in the getUsername() method.  Since the timestamp is stored in the session, which is signed, the timestamp can't be tampered with without changing the signature, so this simple mechanism is quite safe.  A more advanced solution might be to implement a filter that updated that timestamp each time a request came in, so that expiration could be based on last accessed, rather than when the user logged in.
    
             
                                                        
            
            
              
                
                0
              
                   
                
               讨论(0)
              
                                                  
              
              
                          
             
       
          
              
                                       
     查看其它4个回答


            
                         
                    


               
            
    发布评论:
    
         
                        
    
    提交评论 
  
  

                    
                    
                    
                        
                        
                         加载中...
                        
                    
                
          
                              			
        
        
        
          
            
            
              
              
            
    


                                 
              
            
                          
    

        
         
                验证码
                
                  
                
                
                   看不清?
                
              
                                  
                    
   
                 
             
              提交回复