Improving cookie security-related solutions
Common solutions on the Network are:
Encrypt cookiesAlgorithm. Adding a timestamp and IP address stamp to cookies is actually how long the cookies will expire under the same IP address.
Finally, MD5 is used for Mac signature to prevent tampering ...... However, the plaintext information is still invisible.
My solution is
Cookie = 3DES ("value, time, IP stamp"); the final cookie is like this: 3bd1b32614a528ea
Use 3DES for encryption, so that the client does not have plain text .......
When the server checks, it decrypts the value, time, and IP address stamp, and checks the expiration time and IP address ...... If the cookie does not match, clear the cookie and go to the logon page ..
This solves several problems.
1. The client Cookie has no text, and no useful information is obtained ...... If the MD5 Signature is used, the client must have a clear description.
2. tampering is not allowed. Once tampered with, an error will occur during decryption on the server ...... Prevents brute-force cracking
3. After the network is intercepted, it cannot be used because of the IP address stamp ...... The IP address is encrypted and cannot see the plain text. Therefore, the IP address cannot be forged.
4. the reason why an IP address stamp is stored on the client enables it to store cookies on multiple computers. If it is stored on the server, only one computer can use cookies to log on to the client, affecting user experience, A waste of performance queries ......