zhouzhongyuan
commented
7 years ago regenerate session
为什么需要验证帐号密码匹配之后,要regenerate session呢?
为了更安全。
不regenerate会有什么影响?
可能会遭受session hijacking 和 session fixation攻击。
session hijacking是什么?
From this Security.SE answer: Session hijacking refers to stealing the session cookie. This can be most easily accomplished when sharing a local network with other computers. E.g. at Starbucks. Example... a user with session Y is browsing James's website at Starbucks. I am listening in on their network traffic, sipping my latte. I take user with session Y's cookies for James's website and set my browser to use them. Now when I access James's site, James's site.
session fixation是什么?
From this webpage: Session Fixation is an attack technique that forces a user's session ID to an explicit value. Depending on the functionality of the target web site, a number of techniques can be utilized to "fix" the session ID value. These techniques range from Cross-site Scripting exploits to peppering the web site with previously made HTTP requests. After a user's session ID has been fixed, the attacker will wait for that user to login. Once the user does so, the attacker uses the predefined session ID value to assume the same online identity.
怎么发动session fixation攻击呢?
.