Sessionid被窃取带来的风险
by
at 2010-06-26 22:46:29
original http://www.javaeye.com/topic/700057
今天用Http抓包工具抓了一下发出的请求包,在cookies里看到了sessionid。
请求包如下:
GET /w3/global/j/global.js HTTP/1.1
Accept: /
Referer: http://www.jiayuan.com/login/index.php?pre_url=/usercp
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; EmbeddedWB 14.52 from: http://www.bsalsa.com/ EmbeddedWB 14.52)
Host: images.jiayuan.com
Connection: Keep-Alive
Cookie: SESSION_HASH=aa200d999de428f8e84ad56f4fc0afb9ac88fb78; stadate1=25727411; myloc=53%7C5301; myage=24; mysex=m; myuid=25727411; myincome=30; last_login_time=1277561249; new_msg=0; pop_1268278480=1277575662747; pop_time=1277561290653
按照session机制,服务器收到客户端发送的sessionid就会去找对应的session!
而木马抓一个这样的请求包,应该难度不大的,这样岂不是风险挺大的吗。不知session机制有没有其他控制的手段。
-----------------------------------
接下来,我测试走ssl的情况,抓包如下:
GET /personbank/main_center.jsp?dse_sessionId=IFAPIXAGCEDLJAEJFHAQGPGTJRFGEBCJFLALBIBZ&netType=0 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-silverlight, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/QVOD, application/x-shockwave-flash, /
Referer: https://pbank.95559.com.cn/personbank/jump.jsp?dse_sessionId=IFAPIXAGCEDLJAEJFHAQGPGTJRFGEBCJFLALBIBZ&netType=0
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; CIBA; 360SE)
Host: pbank.95559.com.cn
Connection: Keep-Alive
Cookie: BocommRegVerState=1; BocommLastLogon=0; JSESSIONID=0000v3Ar_VMgAxauqlrDo-mJdVz:-1; userLanguage=zh_CN
这点更困惑了,ssl情况下依然能抓到sessionid,ssl又是用什么机制防止session被篡的?
<br><br>
作者: <a href="http://zhoupjam.javaeye.com">zhoupjam</a>
<br>
声明: 本文系JavaEye网站发布的原创文章,未经作者书面许可,严禁任何网站转载本文,否则必将追究法律责任!
<br><br>
<span style="color:red">
<a href="http://www.javaeye.com/topic/700057" style="color:red">已有 <strong>28</strong> 人发表回复,猛击->><strong>这里</strong><<-参与讨论</a>
</span>
<br><br><br>
JavaEye推荐