admin管理员组文章数量:1325361
Ok, i have always wondered if these 2 actions are possible:
- To manipulate cookies. I mean, if i login for example into facebook it will save a cookie in my browser. Could i edit it in anyway? I think so since it is set into MY browser and not set locally.
- To manipulare a javascript script. I mean, since javascript is read by the browser and every user can read the language, could it be edited? For example, let's say i have an ajax call that send data strings like
user=basic
or something (it's just an example), could someone change it touser=admin
?
I hope this kind of things are not possible or i am pretty much f****d!
Ok, i have always wondered if these 2 actions are possible:
- To manipulate cookies. I mean, if i login for example into facebook it will save a cookie in my browser. Could i edit it in anyway? I think so since it is set into MY browser and not set locally.
- To manipulare a javascript script. I mean, since javascript is read by the browser and every user can read the language, could it be edited? For example, let's say i have an ajax call that send data strings like
user=basic
or something (it's just an example), could someone change it touser=admin
?
I hope this kind of things are not possible or i am pretty much f****d!
Share Improve this question asked Jan 14, 2011 at 20:55 ShoeShoe 76.3k38 gold badges176 silver badges278 bronze badges 3- Pigarelli wele to the Internet, 2011 AD. – Pointy Commented Jan 14, 2011 at 21:03
- Doesn't nobody think that making cookies and javascript protected could save thousands of useless line of code? – Shoe Commented Jan 14, 2011 at 21:04
- It's just not possible to do that without imposing a pletely different set of rules for the Internet and for personal puters in general. In today's world, you have to hand over your content to the end user equipment for it to be shown on the screen. So long as there are things like open-source web browsers (and whole operating systems), you don't control enough of the user equipment to allow content to be secured. – Pointy Commented Jan 14, 2011 at 21:09
6 Answers
Reset to default 6In that case, I'm sorry to say you are pretty much f****d.
You must always assume that everything on the client side can be manipulated by some evil hacker. This includes cookies and JavaScript.
Firefox makes this extra easy, using the Edit Cookies extension for cookies, and Firebug to edit JavaScript (and HTML and CSS).
Both users and javascript can manipulate cookie data. However, broswers have optional (maybe default) protection against setting cookie data cross-domain.
I think modifying cookies should be pretty easy, as they're stored locally. I checked and in firefox there's a bunch of sqlite files that seem to have that. I don't know much about sqlite, but it seems that modifying them should not be a problem (especially since you could get to the browser source code in this case and see how it interacts with them :) )
I'm not sure about javascript modification, it most surely can be done by messing around with low level HTTP stuff (intercepting request and sending bogus responses with the modified code). Anti cross-site scripting policies helps a little, but I wouldn't rely on them much, there should be security checks server based to be safer.
Yes/No, your domain can only manipulate cookies set by your domain. Your JS script, being on
youdomain.
orlocalhost
cannot edit a cookie set byfacebook.
. Think about it, Internet would have imploded by now if you could do that.However, users can edit their cookies at will.
Yes.
Yes and yes, and there are even tools specifically designed to make doing so easy. Getting security right is hard, and unfortunately it's something that greener web developers often pletely miss.
The only thing you can really safely store in a cookie is a login token. Basically, each time your user logs in, generate something like a GUID. Save the GUID to a column in the user's record (like LoginToken
or whatever) and then set their cookie to the same GUID. When they logout, clear the record's LoginToken
. Then when a request es in, you can just query your database for the user who has a LoginToken
equal to the value in the cookie. It's safe to assume that by holding the token, the requestor is in fact the user represented by the token.
If a malicious user edits their cookie, they'll get nothing more than logged out, since you'd treat a not-found token the same as no token at all.
On the server, once you check a token, you then determine if that user has admin rights (usually by looking at their record).
As far as being able to modify script, that's just a fact of life. Your server code has to assume that every request is malicious. Before you do anything, verify their token and verify that they're allowed to do what they're requesting.
2 things:
- Validate the data client-side for usability, but also do it server-side to prevent someone from tampering with the data
- Encrypt cookies to make it harder to manipulate
本文标签: phpSecurity questions about cookies and javascriptStack Overflow
版权声明:本文标题:php - Security questions about cookies and javascript - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1742193591a2430665.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论