[CS] Hashing, Cookie Day-81
Hashing
Converting one value to another value by applying an arbitrary operation.
What is good hasing?
-
It should not take long to calculate the hash value.
-
Every value must have a unique hash value.
-
Even a very small change should have a different hash value.
Hashing process
When a client requests information from the server, Random password is set and requested.
Server receives information from the client and DB, compares the requested data and the randomly set password to see if they are the same, and if password match, the server responds with the information received from the DB to the client.
Encryption (performed when a random password is set.)
Encryption is the process of managing information using an algorithm by transforming. Set of information into another form using a random method so that it cannot be understood except by the person who owns the information.
Salt
Adding some extra value to what needs to be encrypted.
-
In case of encryption only, the hashed result is always the same.
-
In case of using the Salt algorithm, stronger protection can be achieved by adding an extra value to the existing hash value.
Cookie
One of the ways the Server stores data on the Client.
(If the server wants, the server can use cookies to get data from the client.)
So, cookies don't just mean sending data from server to client, it also includes sending cookies from client to server.
The Server passes the Set-Cookie value to the client, and the client uses the cookie when sending a request to the server based on the received cookie.
Cookie Options
-
Domain: Defines the host to which the cookie will be sent. If omitted, this attribute defaults to the host of the current document URL, not including subdomains.
-
Path: Indicates the path that must exist in the requested URL for the browser to send the Cookie header. The forward slash (/) character is interpreted as a directory separator, and subdirectories are matched as well.
ex) Path=/docs
/docs
/docs/Web/
/docs/Web/HTTP
will all match.
- MaxAge or Expires: Indicates the number of seconds until the cookie expires. A zero or negative number will expire the cookie immediately.
If you do not log out in a public place, there is a possibility that someone may steal cookies, so Server can specify automatic destruction after a certain period of time.
-
HttpOnly: Determining whether a script can access cookies
-
Secure: Indicates that the cookie is sent to the server only when a request is made with the https: scheme (except on localhost), and therefore, is more resistant to man-in-the-middle attacks.
-
SameSite: Controls whether or not a cookie is sent with cross-origin requests.
ex) The possible attribute values are:
SameSite: Strict (Cookies cannot be sent)
SameSite: Lax (Only GET method requests can send cookies)
SameSite: None (Cookies can be sent for all method requests, but the Secure option is absolutely necessary for safety.)
SameSite allows you to defend against CSRF attacks.
CSRF?
Cross Site Request Forgery - Manipulating requests from specific addresses on other sites
ex) Money is deducted from my account when I click a link in spam
Conditions for a CSRF attack
-
Login using by cookies
-
Predictable request path
How to prevent CSRF attacks
-
Use CSRF tokens.
-
Using SameSite Options
Staying connected with cookies
The Server sends a cookie containing authentication information to the Client, and the Client received cookie along with the request to keep a stateless Internet connection stateful.
Cookies can sustained for a long time, but store sensitive information is risky because cookies can be possibility of lose.
Author And Source
이 문제에 관하여([CS] Hashing, Cookie Day-81), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://velog.io/@cptkuk91/CS-Hashing-Cookie-Day-81저자 귀속: 원작자 정보가 원작자 URL에 포함되어 있으며 저작권은 원작자 소유입니다.
우수한 개발자 콘텐츠 발견에 전념 (Collection and Share based on the CC Protocol.)