Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
446 views
in Technique[技术] by (71.8m points)

cryptography - How to store Session ID securely

I am a student learning about cryptography. After searching online, I am still unable to find an answer to my question. I am wondering how to store a session ID securely for an ecommerce website. If it is possible, how so? Please do explain it in Layman's term. Looking forward to your helpful answers.

Cheers

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Session IDs are usually just a random (opaque) identifier that is passed between the client and the server. The server uses the identifier to look up state information (e.g. current cart content) in the database.

As a practical matter, you have to trust that the client will protect the session id, as once you send it to them, it becomes a static token -- no amount of cryptography can fix the fact that anyone can present a session id and then pretend to be the user.

There are some things that you can do to mitigate issues:

  1. ensure you are using a "secure enough" random generator to build the token

  2. make sure the transmission of the token is as secure as possible against eavesdropping or client-side theft (e.g. use SSL, httponly and secure cookie flags)

  3. Give the token a reasonable timeout, and require the user to request a new token periodically using e.g. a refresh token or re-login.

A lot of thought has gone in to how this can work practically - have a look at the OAuth2 / OpenID Connect protocols.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...