blocks|key|806699|text|它是安全的--伪造柱子和饼干一样容易。这两者都是通过在cURL中设置标志来完成的。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|806700|尽管如此，我认为你也有一个很好的解决方案。|806701|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|F|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|G|8|@]|9|@]|A|$]]|$1|D|3|-4|5|6|7|H|8|@]|9|@]|A|$]]]|E|$]]

It is as secure — forging the POST is equally as easy as the cookie. These are both done by simply setting flags in cURL.

That being said, I think you've got a good solution as well.

blocks|key|806723|text|如果您能够从活动内容中获得会话ID以便发布它，这可能意味着您的会话cookie没有标记为HttpOnly，否则我们的主机声称它是防御跨站点脚本攻击的好主意。|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|806724|相反，考虑一个基于JavaScript的、甚至是基于刷新的上传监控器，它应该与所有其他东西集成得足够好，使cookie可以是HttpOnly。|806725|另一方面，如果您的站点不接受第三方内容，则跨站点脚本攻击可能不会引起任何关注；在这种情况下，帖子是可以的。|806726|entityMap|0|LINK|mutability|MUTABLE|url|http://www.owasp.org/index.php/HTTPOnly|1|http://www.codinghorror.com/blog/archives/001167.html^0|18|8|0|1S|D|1|0|0|0^^$0|@$1|2|3|4|5|6|7|R|8|@]|9|@$A|S|B|T|1|U]|$A|V|B|W|1|X]]|C|$]]|$1|D|3|E|5|6|7|Y|8|@]|9|@]|C|$]]|$1|F|3|G|5|6|7|Z|8|@]|9|@]|C|$]]|$1|H|3|-4|5|6|7|10|8|@]|9|@]|C|$]]]|I|$J|$5|K|L|M|C|$N|O]]|P|$5|K|L|M|C|$N|Q]]]]

If you are able to obtain the session ID from active content in order to POST it, this presumably means that your session cookie is not marked <a href="http://www.owasp.org/index.php/HTTPOnly" rel="nofollow noreferrer">HttpOnly</a>, which one of our hosts claims is otherwise <a href="http://www.codinghorror.com/blog/archives/001167.html" rel="nofollow noreferrer">a good idea for defending against cross-site scripting attacks</a>.

Consider instead a JavaScript-based or even refresh-based uploader monitor, which should integrate well enough with everything else that the cookie can be HttpOnly.

On the other hand, if your site does not accept third-party content, cross-site scripting attacks may not be of any concern; in that case, the POST is fine.

blocks|key|2074681|text|我认为通过GET发送它也会很好，因为您在HTTP请求中伪造任何东西(使用curl甚至flash)。重要的是cookie/post/get参数中的加密内容以及服务器端如何加密和检查参数。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2074682|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|D|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|E|8|@]|9|@]|A|$]]]|C|$]]

I think sending it via GET would also work fine, since you fake anything in a HTTP request (using curl or even flash).
The important thing is what is encrypted in you cookie/post/get parameter and how is it encrypted and checked on the server side.

blocks|key|806728|text|POST数据不是HTTP头，但它是作为TCP流的一部分发送的，这使得它与HTTP报头一样容易读取/伪造。如果您截获了一个HTTP请求，它将如下所示：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|806729|POST+/path/to/script+HTTP/1.1
Host:+yourdomain.com
User-Agent:+Mozilla/99.9+(blahblahblah)
Cookie:+__utma=whateverthisisacookievalue;phpsessid=somePHPsessionID

data=thisisthepostdata&otherdata=moredummydata&etc=blah|code-block|syntax|javascript|806730|因此，正如其他人所说的，POST和cookie(以及获取数据，即查询字符串)都很容易被欺骗，因为它们都只是同一个HTTP数据包中的文本。|806731|entityMap^0|0|0|0^^$0|@$1|2|3|4|5|6|7|K|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|L|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|M|8|@]|9|@]|A|$]]|$1|I|3|-4|5|6|7|N|8|@]|9|@]|A|$]]]|J|$]]

POST data is not an HTTP header, but it is sent as part of the TCP stream which makes it just as easy to read/forge as an HTTP header. If you intercepted an HTTP request it would look something like this:

<pre><code>POST /path/to/script HTTP/1.1
Host: yourdomain.com
User-Agent: Mozilla/99.9 (blahblahblah)
Cookie: __utma=whateverthisisacookievalue;phpsessid=somePHPsessionID

data=thisisthepostdata&amp;otherdata=moredummydata&amp;etc=blah
</code></pre>

So as others have said, POST and cookies (and GET data, i.e. query strings) are all easy to spoof, since they're all just text in the same HTTP packet.

blocks|key|545526|text|真的，如果你担心哪个更容易伪造，那你就是在担心错误的事情。简单地说，对有经验的攻击者来说，这两种方法都是微不足道的。你可以通过选择一个而不是另一个来避开“脚本孩子”，但是那些人并不是你需要担心的人。你应该问自己的问题是：“你对伪造身份的人有什么防御措施？”会发生的。如果你的身份是未加密的，而且很容易猜测，那就是一个问题。它会被黑的。既然你在问哪个更安全，我想说你很担心。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|545527|还有一件事要考虑，因为您的应用程序是flash的，它很容易被修改(就像javascript+HTML代码一样)，因为编译的代码在攻击者机器上。他们可以查看二进制文件，找出代码是如何工作的，以及它需要从服务器检索什么。|545528|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|F|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|G|8|@]|9|@]|A|$]]|$1|D|3|-4|5|6|7|H|8|@]|9|@]|A|$]]]|E|$]]

Really if you are worried about which one is easier to forge, you're worrying about the wrong thing. Simply put, either will be trivial to an experienced attacker. You might keep out the "script kiddies" by choosing one over the other, but those people arern't the ones you need to be worried about. The question you should ask yourself is "what defenses do you have against someone forging an id?" It will happen. If your id is unencrypted, and easy to guess, that's a problem. It will get hacked. Since you are asking which is more secure, I would say that you are concerned. 

Here's another thing to consider, since your application is flash, it's susceptable to modification (just like javascript HTML code), because the compiled code is on the attackers machine. They can look through the binary and figure out how the code works, and what it needs to retrieve from the server.

blocks|key|2074729|text|我只想重申，琦琦和波斯特都同样不安全。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2074730|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|D|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|E|8|@]|9|@]|A|$]]]|C|$]]

I just want to reiterate that both Cookie and Post are equally insecure.

While implementing a <a href="http://swfupload.org/" rel="nofollow noreferrer">flash-based uploader</a>, we were faced with an issue: <a href="http://swfupload.org/forum/generaldiscussion/383" rel="nofollow noreferrer">Flash doesn't provide the correct cookies</a>.
We need our PHP Session ID to be passed via a POST variable.

We have come up with and implemented a functional solution, checking for a POST PHPSESSID.

Is POSTing the Session ID as secure as sending it in a cookie?

Possible reason for: Because both are in the http header, and equally possible for a client to forge.
Possible reason against: Because it's easier to forge a POST variable than a Cookie.

Is POST as secure as a Cookie?

翻译质量差，导致语言生硬或混乱。

没有提供实际的解决方法或示例。

解答不清晰，无法理解或解决问题。

页面排版不美观，阅读体验差。

文章

问答

视频

学习中心

腾讯云实验室

直播

竞赛

腾讯云代码分析专区

腾讯iOA零信任安全管理系统专区

腾讯云架构师技术同盟交流圈

腾讯云数据库专区

腾讯云顾问专区

腾讯云原生专区

腾讯混元专区

腾讯云TCE专区

腾讯云Lighthouse专区

腾讯云HAI专区

腾讯云Edgeone专区

腾讯云存储专区

腾讯云智能专区

腾讯轻联专区 

腾讯云开发专区

TAPD专区

腾讯轻量云游戏服专区

腾讯云最具价值专家

腾讯云架构师技术同盟

腾讯云创作之星

腾讯云开发者先锋

腾讯云代码助手

云原生构建

TAPD 敏捷项目管理

Cloud Studio

SDK中心

API中心

命令行工具

涵盖代码开发、场景应用、自动测试全流程，助你从零构建专属AI助手

一站式MCP教程库，解锁AI应用新玩法

在实现时，我们面临一个问题：。我们需要通过POST变量传递PHP会话ID。我们已经提出并实现了一个功能解决方案，检查一个POST PHPSESSID。 POSTing会话ID与在cookie?中发送会话ID一样安全吗？可能的原因:因为两者都在http头中，而且客户端也同样有可能伪造。可能的反对理由:因为伪造POST变量...

问邮政和琦琦一样安全吗？
EN

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问邮政和琦琦一样安全吗？EN

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问邮政和琦琦一样安全吗？
EN