If the system did not use the session to do permission to check in, seized the session is also nothing important role?
Or through the session hijacking can impersonate visit can not access the website?
By the way, can says the session fixation attacks defense scheme? If I do the session on every request to rebuild this not affected before this link?
CodePudding user response:
System is a single point of access, if change the sessionid can lead to request is redirected to the login, the request will be the browser's same-origin policy banned, and so every time go single point to a single point of service pressure is big, does anyone have a good solution,CodePudding user response:
Session is one of the test means, if you did not use the session system test, the front end will not send the session to the server, it is not seized,Hijack sessions made it my understanding is that you can pretend to be a user access, defense general HTTPS transport content itself is encrypted, a defensive role, other methods, I know there are asymmetric encryption, such as method of JWT, but it need the client to configure a private key, the commonly used in enterprise applications, generally can't use on individual users,
CodePudding user response:
The same-origin policy is aimed at js, if just jump in your browser's address bar, with the same origin policy that's all right,My company use single sign-on (sso) is based on SAML,
CodePudding user response:
1, the session fixation is an attacker a sessionid created for you, in advance, and then guide you to login, attack way to deal with this is the time to login successfully, reset the sessionid can, so that after the user login successfully, the attacker set sessionid is meaningless,2, session hijacking, actually this you need to solve is supposed to be an XSS, setting the HttpOnly cookies to true, the back-end do homologous detection, etc., if an attacker can get sessionid to you, that no matter how you sessionid to change, even if every time you transform also useless, so you have to do is how to make the attacker can't get sessionid, rather than change it every time, in order to prevent intercept access through the network, you can also use the HTTPS certificate encryption,
Every request to the session reconstruction, I ah, that even the session?
Useless session testing, of course, all based on the session attack is meaningless, but without the session, what's the solution? No more than several url with parameters, hidden field or save the token in the js, request header returned token, actually finally the principle is the same, only in its form, at least in this realization ways, through cookies save sessionid, server-side session are a relatively safer, at least the cookie itself gives us some security Settings, such as httponly, the same-origin policy, etc.