作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程 ›› 2008, Vol. 34 ›› Issue (19): 176-178. doi: 10.3969/j.issn.1000-3428.2008.19.059

• 安全技术 • 上一篇    下一篇

Web应用程序会话安全模块的设计

徐 兵,谢仕义   

  1. (广东海洋大学信息学院,湛江 524088)
  • 收稿日期:1900-01-01 修回日期:1900-01-01 出版日期:2008-10-05 发布日期:2008-10-05

Design of Session Security Module for Web Applications

XU Bing, XIE Shi-yi   

  1. (Information School, Guangdong Ocean University, Zhanjiang 524088)
  • Received:1900-01-01 Revised:1900-01-01 Online:2008-10-05 Published:2008-10-05

摘要: 为阻止会话劫持攻击的发生,设计一个HTTP会话安全模块。该模块将一条哈希代码附加到会话 ID后,为会话ID cookie 监视传入的请求和传出的响应,使攻击者重用cookie 更为困难,对提高Web应用程序安全具有很好的保护作用。基于.net平台实现该会话安全模块,该模块已应用于一个电子商务网站中。

关键词: 会话劫持, 中间人攻击, .net平台, 会话ID cookie

Abstract: This paper analyzes the main menace of session security, and describes the basic principle and method of session hijacking. A secure session module based on HTTP is designed for repelling session hijacking attack. The module adds a hashed MAC to session IDs, and monitors incoming requests and outgoing responses for session ID cookies. It makes it difficult for attacker to reuse the sessions ID cookie and gives Web applications well protected. It achieves the secure session module based on the .net platform, and the module is used on an e-business Web site.

Key words: session hijacking, Man-In-The-Middle(MITM), .net platform, session ID cookie

中图分类号: