Y
Y
yourisus2017-04-15 12:17:33
PHP
yourisus, 2017-04-15 12:17:33

Cookie and session security?

Good day, friends.
It seems that I understand the essence of cookies and sessions, cookies - on the client, sessions on the server.
But I have a security question: if an attacker steals cookies from the client and uses them himself, will he get access without logging in?
And if you imitate the browser id and substitute other people's cookies, can you get access without logging in?
What specifically is recorded in sessions that they are more secure? A bunch of IP, browser_agent_id?
Maybe someone will tell this technology a little more in terms of security and what exactly is there as input \ out data.

Answer the question

In order to leave comments, you need to log in

2 answer(s)
D
Dimonchik, 2017-04-15
@dimonchik2013

A session is not on a server, it's an abstract concept made to make it easier for beginner (and shit) coders to get into the course.
(1) The user logs in (authenticates), under his rights, all template routers, based on policies, generate and send content. All. One page request - one response.
(2) To prevent the user from constantly entering a login-password, at the first login, an identifier is created for him and sent in cookies. That. with each request, the user sends this identifier instead of a login. And the server - see (1)
Naturally, this identifier can be intercepted (over an unsecured connection for a sweet soul, over a secure connection - no one has canceled Trojans) and log in instead of the user.
Therefore, on the server side, they solve this problem in different ways:
VK write soap for each login "you are logged in", Google writes (you did not log in from this IP, confirm), someone scores, someone (banks) requires each new login to confirm SMS.
How does the server determine suspiciousness? from browser snippets to time zones.
read about OAuth
read about CSRF

Z
Zakharov Alexander, 2017-04-15
@AlexZaharow

There is no absolute security and secrecy. Deal with it. You can only make life as difficult as possible for the attacker. Enable SSL and this is sufficient in most cases.
Essentially, the content of a cookie is just a string of text, possibly unique for each session, but not necessarily. Depends on the purpose. Mostly numeric forms are used, as it is easier to generate unique random sequences. But there you can write at least a quatrain of AS Pushkin. On one computer, you can open two browsers, drag the cookies of the first one into the second (under certain conditions) and the server will consider this as one session.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question