Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

第28题 #32

Closed
34678 opened this issue Mar 7, 2019 · 1 comment
Closed

第28题 #32

34678 opened this issue Mar 7, 2019 · 1 comment

Comments

@34678
Copy link

34678 commented Mar 7, 2019
edited

cooki劫持

https://g2ex.github.io/2015/06/29/Cookie-and-Cookie-Injection/
1攻击者通过xss拿到用户的cookie然后就可以伪造cookie了。
2或者通过csrf在同个浏览器下面通过浏览器会自动带上cookie的特性
在通过 用户网站-攻击者网站-攻击者请求用户网站的方式 浏览器会自动带上cookie
但是token
1 不会被浏览器带上 问题2 解决
2 token是放在jwt里面下发给客户端的 而且不一定存储在哪里 不能通过document.cookie直接拿到,通过jwt+ip的方式 可以防止 被劫持 即使被劫持 也是无效的jwt

欢迎纠正
@yygmind yygmind mentioned this issue Mar 7, 2019
Open
@yygmind
Copy link
Contributor

yygmind commented Mar 7, 2019

移步到这里:#31

@yygmind yygmind closed this as completed Mar 7, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yygmind @34678