问题描述

ColdFusion会话支持CFID，CFTOKEN和jsessionid值的组合。当第一次打开cfm页面时，这些值被建立，从而创建了SESSION。

ColdFusion sessions are supported with a combination of CFID, CFTOKEN and jsessionid values. When a cfm page is first hit, these values are established thus creating the SESSION.

我的问题是，如果SESSION是在HTTP下创建的，访问HTTPS下的登录页面的是那些SESSION令牌值受损，因为它们是在http下创建的（即它们作为请求的一部分以明文形式传递）。

My question is, if the SESSION is created under HTTP and then a link is clicked to get to a login page under HTTPS, are those SESSION token values compromised because they were created under http (i.e. they were passed in clear text as part of the request).

我猜，有人精明嗅闻公共路由器可以得到这些值，然后欺骗会话从那时起。

I'm guessing that someone astutely sniffing the a public router could get those values and then spoof the session from then on out. It would definitely be a rare occurrence, I know, but nevertheless a concern.

推荐答案

是的，您的Cookie会容易被窃听和会话劫持（如果您通过非安全通道传递）。 列在他们的会话劫持页面上。也许最简单的是做反向的说，只是重新生成会话成功登录后，一旦登录，保持在HTTPS。

Yes, your cookies will be vulnerable to eavesdropping and session hijacking if you pass them over a non-secure channel. Wikipedia has some good prevention mechanisms listed on their Session Hijacking page. Probably the easiest is to do as invertedSpear said and just regenerate the session after a successful login, and once logged in, stay on HTTPS.

这篇关于在ColdFusion中，我需要在从http切换到https后重新建立会话令牌吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！