New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

更安全地保存 Cookie #70

Closed
88250 opened this Issue Aug 10, 2017 · 3 comments

Comments

Projects
None yet
3 participants
@88250
Member

88250 commented Aug 10, 2017

目前 cookie 是直接以 JSON 字符串格式写入浏览器的,存在两个问题:

  1. 不安全,暴露了用户邮箱和密码
  2. Tomcat 某些版本对 cookie 值有校验,现象参考

改造方案:

  1. latke.props 中加入 cookieSecret,作为 cookie 值加/解密的密钥生成 key
  2. 使用 AES 算法对 JSON 字符串进行加密后写入 cookie

@88250 88250 added the enhancement label Aug 10, 2017

@88250 88250 self-assigned this Aug 10, 2017

@88250 88250 closed this in e5754b8 Aug 11, 2017

@nanolikeyou

This comment has been minimized.

Show comment
Hide comment
@nanolikeyou

nanolikeyou Aug 11, 2017

另外建议setcookie时设置httponly属性

nanolikeyou commented Aug 11, 2017

另外建议setcookie时设置httponly属性

@88250 88250 reopened this Aug 13, 2017

@88250

This comment has been minimized.

Show comment
Hide comment
@88250

88250 Aug 13, 2017

Member

@nanolikeyou 加了个 cookieHttpOnly 的配置,默认是 false。Solo 里面暂时也不开启,因为用了 JS 取 cookie。

Member

88250 commented Aug 13, 2017

@nanolikeyou 加了个 cookieHttpOnly 的配置,默认是 false。Solo 里面暂时也不开启,因为用了 JS 取 cookie。

@wizardforcel

This comment has been minimized.

Show comment
Hide comment
@wizardforcel

wizardforcel Aug 29, 2017

Member

跟 Discuz 的方案差不多。除了算法不一样之外。

Member

wizardforcel commented Aug 29, 2017

跟 Discuz 的方案差不多。除了算法不一样之外。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment