问题描述

我已经读过play框架通过使用应用程序密钥散列会话id来解决会话固定问题，但是它是否提供了防止会话劫持的任何机制，还是由实现者来做？

I've read that the play framework solves the session fixation issue by hashing the session id with the application key, but does it provide any mechanism to prevent session hijacking, or is this left up to the implementor?

推荐答案

不，只要能够捕获会话，就没有内置的方法来阻止会话被劫持饼干（通过嗅闻/中间人）。
有一些方法使其更难，例如：

No, there is no built in way to prevent the hijacking of a session as soon as one is able to capture the session cookie (through sniffing/man in the middle).There are some ways to make it harder, e.g.:

• 仅使用https


• 在application.conf中设置application.session.httpOnly

使其变得更难的一个方法是：
- 存储ip / user-agent / resolution /其他东西或者也在会话中的哈希..在你的控制器中你检查访问你站点的用户是否仍然重新创建相同的哈希...真正的问题是使用代理的人，例如由于群集而动态更改IP。

One approache to make it harder is: - store the ip/user-agent/resolution/other stuff or a hash of that also in the session.. in your controller you then check if the user that accesses your site still recreates the same hash... the only real problem is with people that are using a proxy that e.g. changes the ip on the fly because of clustering.

您可以尝试使用的小技巧：（仅适用于最近的浏览器）
当用户登录时，将一些内容存储在HTML5本地存储中。修改Ajax调用以从本地存储提供此信息。如果信息丢失/无效，您可以使整个会话无效。但是你必须确保只对来自HTML5浏览器的请求应用检查。

A little trick you could try to use: (works only in recent browsers)When a user logs in, store some stuff in a HTML5 local storage. Modify your Ajax calls to supply this information from the local storage. If the information is missing/invalid, you can invalidate the whole session. But you'll have to make sure, that the checks only get applied against requests from HTML5 browsers.

希望这有点帮助。

这篇关于玩吗！框架有任何内置机制来防止会话劫持？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！