更新时间:2022-05-29 21:28:02
在尝试了各种方法之后,我们找到了以下解释的解决方案:
After struggling through various approach We found a solution explained below:
解决方案:->尽管令牌值已加密,但它仅代表一个值,因此,如果将一个完整的加密值替换为另一个有效的加密值,则它可能会被黑客入侵.
Solution :-> Though token values were encrypted, it was representing only one value, So if one replace whole encrypted value with another valid encrypted value it can be hacked.
因此,为解决此问题,我们添加了另一个cookie,该cookie是多个值的组合.
So to solve this we have added another cookie which was combination of multiple values.
例如
Cookie 1->加密令牌
Cookie 1 -> encrypted token
Cookie 2->一个加密的对象,其中包含诸如用户名+其他用户上下文详细信息+令牌之类的信息
Cookie 2 -> An encrypted object containing information like username+ some other user context details+token
因此对于Cookie 1,很容易用另一个加密值替换,因为尽管它是加密的,但它仅表示一个令牌.
So in case of Cookie 1, it was easy to replace with another encrypted value as it was representing only one token though it was encrypted.
但是对于Cookie 2,它包含具有多个值的对象,因此仅令牌值不能被修改,加密和设置在同一Cookie中.
But in case of Cookie 2, it was containing object with multiple values, so only token value can not be modified, encrypted and set back in same cookie.
在身份验证之前,我们正在解密整个cookie 2,从中获取令牌部分,并针对cookie 1验证其令牌部分.
Before authentication We are doing decryption whole cookie 2, fetch token part from it and validate the token part of it against cookie 1.
那解决了我们的问题!!
That has solved our problem !!
感谢您的时间和指导.