lostecho/build-web-application-with-golang
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add en/0.6.x.md syntax highlighting

Browse Source
This commit is contained in:
vCaesar
2017-05-20 17:56:20 +08:00
parent 919364cfe3
commit 19c6592848
4 changed files with 45 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
en/06.4.md
View File

@@ -7,7 +7,7 @@ In this section, we are going to show you how to hijack a session for educationa
## The session hijacking process
The following code is a counter for the `count` variable:
```Go
func count(w http.ResponseWriter, r *http.Request) {
sess := globalSessions.SessionStart(w, r)
ct := sess.Get("countnum")
@@ -20,7 +20,7 @@ The following code is a counter for the `count` variable:
w.Header().Set("Content-Type", "text/html")
t.Execute(w, sess.Get("countnum"))
}
```
The content of `count.gtpl` is as follows:
Hi. Now count:{{.}}
@@ -60,7 +60,7 @@ Through this simple example of hijacking a session, you can see that it's very d
The first step is to only set session id's in cookies, instead of in URL rewrites. Also, we should set the httponly cookie property to true. This restricts client-side scripts from gaining access to the session id. Using these techniques, cookies cannot be accessed by XSS and it won't be as easy as we demonstrated to get a session id from a cookie manager.
The second step is to add a token to every request. Similar to the manner in which we dealt with repeating form submissions in previous sections, we add a hidden field that contains a token. When a request is sent to the server, we can verify this token to prove that the request is unique.
```Go
h := md5.New()
salt:="astaxie%^7&8888"
io.WriteString(h,salt+time.Now().String())
@@ -69,11 +69,11 @@ The second step is to add a token to every request. Similar to the manner in whi
// ask to log in
}
sess.Set("token",token)
```
### Session id timeout
Another solution is to add a create time for every session, and to replace expired session id's with new ones. This can prevent session hijacking under certain circumstances such as when the hijack is attempted too late.
```Go
createtime := sess.Get("createtime")
if createtime == nil {
sess.Set("createtime", time.Now().Unix())
@@ -81,7 +81,7 @@ Another solution is to add a create time for every session, and to replace expir
globalSessions.SessionDestroy(w, r)
sess = globalSessions.SessionStart(w, r)
}
```
We set a value to save the create time and check if it's expired (I set 60 seconds here). This step can often thwart session hijacking attempts.
By combining the two solutions set out above you will be able to prevent most session hijacking attempts from succeeding. On the one hand, session id's that are frequently reset will result in an attacker always getting expired and useless session id's; on the other hand, by setting the httponly property on cookies and ensuring that session id's can only be passed via cookies, all URL based attacks are mitigated. Finally, we set `MaxAge=0` on our cookies, which means that the session id's will not be saved in the browser history.