设置 cookie 路径和域 (Rails 6)
Setting cookie path and domain (Rails 6)
有人 experience/advice 设置 cookie 路径和域,以便在 Rails 6 应用程序中加强安全性吗?
Rails docs 显示设置路径和域,但实际上我不清楚在哪里执行此操作,或者将它们设置为什么(我想域很明显)。
默认情况下,cookie 路径设置为 "/"。 owasp.org 描述此漏洞:
The Path attribute plays a major role in setting the scope of the
cookies in conjunction with the domain. In addition to the domain, the
URL path that the cookie is valid for can be specified. If the domain
and path match, then the cookie will be sent in the request. Just as
with the domain attribute, if the path attribute is set too loosely,
then it could leave the application vulnerable to attacks by other
applications on the same server.
不指定cookie的域属性更安全。没有域属性的 cookie 只会发送到原始主机(例如 example.com)。另一方面,domain=example.com 的 cookie 将被发送到 example.com 及其子域(sub.example.com、www.example.com 等)。也就是说,如果不指定domain属性,发送cookies的范围会更窄。
可以指定cookie的路径属性,但没有太大的安全作用。例如,带有 path=/mypage 的 cookie 不会被发送到 https://example.com/about, but if you send a request from this page to https://example.com/mypage with XMLHttpRequest, the following will occur The cookie with path=/mypage will be given to the request. Even if the cookie itself is not stolen due to the httponly attribute, the response from https://example.com/mypage 将被攻击者检索。因此,您的个人信息将被盗用。
综上所述,cookie不加domain属性比较安全,path属性虽然可以加,但安全作用不大
有人 experience/advice 设置 cookie 路径和域,以便在 Rails 6 应用程序中加强安全性吗?
Rails docs 显示设置路径和域,但实际上我不清楚在哪里执行此操作,或者将它们设置为什么(我想域很明显)。
默认情况下,cookie 路径设置为 "/"。 owasp.org 描述此漏洞:
The Path attribute plays a major role in setting the scope of the cookies in conjunction with the domain. In addition to the domain, the URL path that the cookie is valid for can be specified. If the domain and path match, then the cookie will be sent in the request. Just as with the domain attribute, if the path attribute is set too loosely, then it could leave the application vulnerable to attacks by other applications on the same server.
不指定cookie的域属性更安全。没有域属性的 cookie 只会发送到原始主机(例如 example.com)。另一方面,domain=example.com 的 cookie 将被发送到 example.com 及其子域(sub.example.com、www.example.com 等)。也就是说,如果不指定domain属性,发送cookies的范围会更窄。
可以指定cookie的路径属性,但没有太大的安全作用。例如,带有 path=/mypage 的 cookie 不会被发送到 https://example.com/about, but if you send a request from this page to https://example.com/mypage with XMLHttpRequest, the following will occur The cookie with path=/mypage will be given to the request. Even if the cookie itself is not stolen due to the httponly attribute, the response from https://example.com/mypage 将被攻击者检索。因此,您的个人信息将被盗用。
综上所述,cookie不加domain属性比较安全,path属性虽然可以加,但安全作用不大