Questions #1


How to protect cookies from theft and forgery?



Download 85,32 Kb.
bet16/24
Sana06.07.2022
Hajmi85,32 Kb.
#752107
1   ...   12   13   14   15   16   17   18   19   ...   24
Bog'liq
interview en

How to protect cookies from theft and forgery?
Depends on how strict the site's security criteria are. If cookies store auxiliary data, for example, the index of the last item selected in the dropdown, the rules below can be ignored.
For payment systems, sites with private data, these rules are mandatory.

  • Set the httponly flag to cookies. The browser will not allow you to read and change such cookies on the Javascript client.

  • Use the secure flag. Cookies will only be transmitted over a secure connection.

  • Set a short cookie lifetime.

  • Set a short session time on the server.

  • Add a User-Agent header to the session key. Then if you steal the cookie and install it on another machine, the session key will be different.

  • Similar to the point above, but add the user's IP.

  • Sign cookies with a secret key. Add a sig field that is equal to HMAC-SHA1(cookie-body, secret_key). Check on the server that the signature matches.

HTTP


How is the HTTP protocol structured?
HTTP is a text protocol that runs on top of TCP/IP. HTTP consists of a request and a response. Their structures are similar: start line, headers, response body.
The start query string consists of the method, path, and protocol version:
GET /index.html HTTP/1.1

The start line of the response consists of the protocol version, the response code, and the textual transcript of the response.


HTTP/1.1 200 OK

Headers are a set of key-value pairs, such as User-Agent, Content-Type. The headers contain request metadata: user language, authorization, redirection. The Host header must always be present in the request.


The response body can be empty, or it can transfer pairs of variables, files, binary data. The body is separated from the headers by a blank line.
Write a raw request to the main Yandex
GET/HTTP/1.1
Host: ya.ru


Download 85,32 Kb.

Do'stlaringiz bilan baham:
1   ...   12   13   14   15   16   17   18   19   ...   24




Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling

kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha


yuklab olish