"White hat Talk Web security" study notes of the 9th Chapter certification Session Management

9th Chapter Certification Session Management 9.1 Who am I?

Authentication contains two layers of identity and identity authentication.

q identity-Who am I?

q identity Authentication-that's me.

The purpose of certification is to identify who the user is? The purpose of authorization is to determine what the user can do.

Authentication is actually a process of verifying credentials.

9.2the password thing.

Generally for security and user experience, the use of "two-factor" authentication is more, such as the password in the payment and mobile phone dynamic key.

I think the user should check whether the user is using a weak password when registering. This means that we need to establish a "weak cipher table" in the system, the weak password table is as follows.

000000;c984aed014aec7623a54f0591da07a85fd4b762d000000000;0f58d5a5515f1a8a9d179aa58858b67b2f8a33880000000000; 8104ba1dc0409b259f487ed07db477c38f205a30111111;3d4f2bf07dc1be38b20cd6e46949a1071f9d0e3d11111111; a642a77abd7d4f51bf9226ceaf891fcbb5b299b8111111111;3f196cfb6c4cffe3002c0495a1bc822521b6aa36112233; 3acd0be86de7dcccdbf91b20f94a68cea535922d11223344;b986415c93241513d33d01fcf532a6c47ac4f3ee123123; 601f1889667efaebb33b8c12572835da3f027f78123123123;88ea39439e74fa27c09a4fc0bc8ebe6d00978392123321; 4d9012b4a77a9524d675dad27c3276ab5705e5e8123456;7c4a8d09ca3762af61e59520943dc26494f8941b123456a; 360e46f15f432af83c77017177a759aba8a5851912345678;7c222fb2927d828af22f592134e8932480637c0d123456789; f7c3bc1d808e04732adf679965ccc34ca7ae3441987654321;bfe54caa6d483cc3887dce9d1b8eb91408f1ea7a654321; DD5FEF9C1C1DA1394D6D34B248C51BE2AD740840ABCDEF;1F8AC10F23C5B5BC1167BDA84B833E5C057A77D2ABCDEFG; 2fb5e13419fc89246865e7a324f476ec624e8740abcabc;f8c1d87006fbf7e5cc4b026c3138bc046883dc71abc123; 6367c48dd193d56ea7b0baad25B19455e529f5eea1b2c3;2f4c5ce01f30865d02b2cc2b60d50b0bc5a1ee75123qwe;0 5FE7461C607C33229772D402505601016A7D0EAQWERTY;B1B3773A05C0ED0176787A4F1574FF0075F7521EQWERTYUIOP; B0399D2029F64D445BD131FFAA399A42D2F8E7DCASDFGHJKL;5FA339BBBB1EEACED3B52E54F44576AAF0D77D96ZXCVBNM; 93ec71b22793a81569c94ca17e4d9c293d8e201fqweasd;94cd166631d14dab533858b9b47e9584a2ff3f65admin; d033e22ae348aeb5660fc2140aec35850c4da997password;5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8[email protected ];36e618512a68721f032470bb0891adef3362cfa9passwd;30274c47903bd1bac7633bbf09743149ebab805filoveyou; ee8d8728f435fd550f83852aabab5234ce1da5285201314;39693fd4a45b386c28c63100cc930238259891a25211314; 817fbb7fa898c2b5d494fbd1f46bc6437d1eae33woaini1314;79cbc25ac7de525cdc27d2977dbf3c0f13f04924222222; 273a0c7bd3c679ba9a6f5d99078e36e85d02b952333333;77bce9fb18f977ea576bbcd143b2b521073f0cd6444444; 42cfe854913594fe572cb9712a188e829830291f555555;b7c40b9c66bc88d38a59e554c639d743e77f1b65666666; 1411678a0b9e25ee2f7c8b2f7ac92b6a74b3f9c5777777;fba9f1c9ae2a8afe7815c9cdd492512622a66302888888;1f82c942befda29b6ed487a51da199f78fce7f05999999; 1f5523a8f535289b3401b29958d01b2966ed61d2aaa111;4a0cde71aee7158542d013fc0c9f5acfc735c612bbb222; 6BE712A6E73D979726C02A308B3457F9F5CF148ELETMEIN;B7A875FC1EA228B9061041B7CEC4BD3C52AB3CE3AAAAAA; f7a9e24777ec23212c54d7a350bc5bea5477fdbbaaaaaaaa;b480c074d6b75947c02681f31c90c668c46bf6b8abcde12345; 61d6504733ca7757e259c644acd085c4dd47101919216801;c1018a89c6ea96ad0b85f6b96e6a857accd2364419216811; 76baff4a5e6ed84f77bab8160f35646e042e4e1c1a2b3c4d;b01afc2b077956acc69f99e0b7df1cb70cb013311q2w3e4r5t; B80a9aed8af17118e51d4d0c2d7872ae26e2109easdfgh;7ab515d12bd2cf431745511ac4ee13fed15ab578fuckyou; Dd2edb87ea9eb7a32fd4057276d3a1fab861c1d5@163.com;900a0dc861cfb4e8692e2c9e3ac3e402244148e5@126.com;0 9b66030ce0e0ce02bf5c9f1acb3d3ed43b03d29@sina.com;9315152529553e529d7a104749a5091018335c41@yahoo.cn; 45131950280623973e2990a1c712ff7bbac47ef2@hotmail.com;67f34d4020041d47084e416d2a3b69a41d5004b5@sohu.com; 70cb33735b8f48126644c4b73d5f202b3787d345@139.com;a3495fafa58826efb7bd72afe7c65037ed8bc3e5zxc123; d5a1bdf9ce989fd6161063e94b92bdeacb94ed23a123456;895b317c76b8e504c2fb32dbb4420178f60ce321a123456789; 82e19fa12aab7cfc718a002fc82c0f074bf070e71234567890;01b307acba4f54f55aafc33bb06bbbf6ca803e9aqq123456; 1e9c48fedb74c408cfa764c2e6579345ad38b059abc123456;370194ff6e0f93a7432e16cc9badd9427e8b4e13123456789a; 8bc5de83cf1daf79ed5b2f13f93d7c05d01d0388147258369;345120426285ff8b1d43653a4d078170b4761f7512345678910; 9048ead9080d9b27d6b2b6ed363cbf8cce795f7fqq123456789;c62ff83c569e4167f2d4a6d437c37c4c99f62abb123456789.; Ed005b69bc65e50b86efbfa2eee5a9a9522c4a797708801314520;32b912e96e3af75977851c4c0ae1ab76fa2342bdwoaini; 18f3e922a1d1a9a140efbbe894bc829eeec260d85201314520;f33d1c19fca267f74c49d287359e438c25080a13q123456; 6373050ac6f292c7f40103686db60eabe536615a123456abc;a172ffc990129fe6f68b50f6037c54a1894ee3fd1233211234567; dd3fdc04319ba92de10e6f4ced669daf40c34774123123123;88ea39439e74fa27c09a4fc0bc8ebe6d00978392123456.; 76d91c3bdf12cb2a5ed8d590390df02efb77fb910123456789;87acec17cd9dcd20a716cc2cf67417b71c8a7016asd123456; b2b7258d833cda1f75ff068edcbfa93faf899273aa123456;89e89c17f877ca2821b557f633cec3253b0aa941135792468; ed0e9283310c98094b1f5c0c42385c7a3c6818daq123456789;acd7236e31641b4de86fd7af037655976d76c9c6abcd123456; 756de479126e911b6f3400ae686d663d9d26b50912345678900;545c562a9d01dfaef9fb4e72c14010d2c4862a8bwoaini123; 9635549628ffb5028a456b7e381cce375f598be7zxcvbnm123;b487af41779cffb9572b982e1a0bf83f0eafbe05w123456; 4bd79e74a4e75df4226379434fc60f3274e1f4e3aini1314;1c9a13456920a7a86a8f3ccf561039f2e4f3f244abc123456789; 33c76f70af66754ca47d19b17da8dc232e1252531314520520;581cf6ca317edbca904de1540c031f8209beb7791234567891; 64ea0dc7dadd49a337f1ef14815bd3f428141c7dqwe123456;e0ad1156a8de997c18dd27d85253a963433d8cecasd123; 2891baceeef1652ee698294da0e71ba78a2a40641472583690;9de1d8a075935f3d9746cc1419dd16576fdd5b6f1357924680; 33787D9003E53554AA48E7B3A2D2F793EDB7D7A0789456123;4B4B04529D87B5C318702BC1D7689F70B15EF4FC123456789ABC; A63d2f9ac1d341ae389920e6fe5712ca27768a72z123456;63b597584b223523684957a1646a366f80c1776d1234567899; fa213fbfd3c4bd1e298a01faee0652ce8aece66eaaa123456;63a573e536a133d9ce53d63cdefaa3a6ff7a7ef9abcd1234; 7ce0359f12857f2a90c7de465f40a95f01cb5da9www123456;82d878eae8ed4c9633a85c3ffbc2fe6e08439d5f123456789q; e4af001202394bea766da25ca5a83adc8dfb1fe1123abc;4be30d9814c6d4e9800e0d2ea9ec9fb00efa887bqwe123; c53255317bb11707d0f614696b3ce6f221d0e2f2w123456789;fdf78847507ea581d669dfb4bb7acdd49f6fd1677894561230; 255f53c62ddcd8771941fe7fc3d316761f204966123456qq;0213711d8b8773c12c52eaf8b4da9dc479a6f33czxc123456; 20894d135e5493a4b13adb05545e4327f78ba5a5123456789qq;a4d1643ef5edd2d052a9a74eb0daebc4bb5601beqazwsxedc; cbf2510a5f9f7eece23428da7125c06115839e2bqwerty;b1b3773a05c0ed0176787a4f1574ff0075f7521e123456.; 21e279011385c910548bcfe8449607d66cf079af1234554321;ece4e6b27cf0a2c5c9d83e44bfd5a71795f8a6e0123456q; bfff2dd4f1b310eb0dbf593bd83f94dd8d34077e123456aa;80e126659c008667cb626baef0c86e7b7dd00e209876543210; 9cd656169600157ec17231dcf0613c94932efcdc110120119;c611407915728260ac0ab216a71dab84ccedc267qaz123456; d480bd8b8bdd111efd9f7acf13b8e889c97a8704qq5201314;d54afcea69f4206f91549578f5f10ae3ba1456aa123698745; 46faecb386d33e643afdabc62393fa7e84f5bf66as123456;7e02cc3aedfaec1fc5863c6ae8463788742181865841314520; cdfee1c0470223f479f457b4c36db0028aaaaf67z123456789;23aa667a74a65343dfe41a015dae1c9208bb972ea123123; 787c8ad9f686d6ae66a053497de9ae15b6b13364caonima;430dcd10accf33c72ec127813ec7e2c93a697314a5201314;0 638a978a2c43b4d01739436cd7ada21d94d938fwang123456;341f61d91c70014c2c867be0f3edcd237f04a70dabcd123; 7c3607b8e61bcf1944e9e8503a660f21f4b6f3f1123456789.; B4D333D3AFCB4AB2169709D1F9EE928053818A13WOAINI1314520;69F64F206FE9F88E93AC54E6A5CE057A7A0EFBEE123456ASD; ba3da472cb1a59f523b87f74c4e42c860c2aa5d0aa123456789;48df1dc02ccb17787d25e40f42c2e721cf200511741852963; 863dae13577340b98c4c247f4a05b204a3543248a12345678;3dd635a808ddb6dd4b6731f7c409d53dd4b14df2

Note: The above weak password has been SHA1 encryption, original and ciphertext with "; the split

password using one-way encryption algorithm or MD5 as much as possible

9.3multi-factor authentication

In addition to the general password, dynamic password, digital certificate, U- Shield, third-party certificates, etc. are available for user authentication. These different means can be combined to make the certification process more safe and reliable. Password is no longer the only authentication means, in the case of theft of user passwords, can still protect the security of user accounts.

9.4 Sessionand Certification

The Session mechanism is a server-side mechanism that uses a hash-like structure (or perhaps a hash table) to hold the interest.

But the program needs to create a session session Id session has been created for this customer Session id this session retrieved for use (if not retrieved, May create a new one, this situation may appear on the server has deleted the user corresponding to the session Url jsession session Id Session session Id this Session ID will be returned to the client in this response to save.

Save Session ID in several ways :

q Save The Session ID can be in the form of a Cookie, so that during theinteraction the browser can automatically follow the rules to send this identity to the server.

q  because of the cookie can be artificially banned, There must be other mechanisms in place to cookie A technique that is often used to pass back to the server is called Url rewrite, that is, the Session id append to Url url

q Another technique is called a form-hidden field. Is that the server automatically modifies the form, adding a hidden field so that the Session ID can be passed back to the server when the form is submitted .

9.5 Session FixationAttack

guard against Sessionfixation attack : user authentication must be transformed SessionID. The stochastic algorithm needs to be strong enough.

9.6 SessionKeep attacking

guard against Session hold attack:

Force logoff at a certain time or on a specific condition Session. If the IP or useragernt or location or multiple sessions of the session are issued .

9.7Single Sign-On (Sso)

For a single sign-on flaw, you can add a "two factor" verification to a given system application.

Reference:http://dotnet.blog.51cto.com/272325/51559/

"White hat Talk Web security" study notes of the 9th Chapter certification Session Management