How to prevent session data stored in cookies from being tampered with
Posted: Wed Jan 08, 2025 4:44 am
When you click Add to Cart, a request is actually sent to the server, and then the server will direct your URL to store.tw? item=backpack, when you finally click checkout, the server will judge based on the queryString (query string) on your address bar. This is also where the status is accessed.
However, the security of information stored in the address bar is not high. Some browsers have length restrictions on queryString.
Method 2_Cookie
Session and Cookie can be used together. When you press Add to Cart, the browser sends a request to the Server. The Server asks the browser to set the Cookie, and the browser stores item1=backpack in the Cookie. Finally, when you press Checkout The browser sends a request to the server with the cookie that has just stored the new data, and finally belarus whatsapp phone number determines the status based on the content of the cookie.
However, it was mentioned in the previous paragraph that cookies are not encrypted during transmission and are easily tampered with, so this problem must be solved.
Solution 1
All session states stored in cookies are encrypted, and this method of storing all session states in cookies is called cookie-based session. However, the disadvantage is that cookies have a limited storage size. If the encrypted content is larger than the storage limit, There is no way for the browser to save the size.
Solution 2
The identity is determined through the Session ID. When the Server sets the Cookie, it only stores the Session ID in the Cookie and other statuses are stored in the Server. After this, the requests and other actions only need to determine whether there is a Session. ID to find the Session to obtain more information or create a new set of Session and Session ID.
Small tidying up
The method that can implement the Session mechanism is not just the common Cookie, you can also use the URL mentioned in the text, but it is more inconvenient and secure compared to the Cookie method.
Session stores data on the server side, while Cookie stores data on the user side. Therefore, it is safer to store important data in the Session and then use the Session ID stored in the Cookie to determine the identity data.
However, the security of information stored in the address bar is not high. Some browsers have length restrictions on queryString.
Method 2_Cookie
Session and Cookie can be used together. When you press Add to Cart, the browser sends a request to the Server. The Server asks the browser to set the Cookie, and the browser stores item1=backpack in the Cookie. Finally, when you press Checkout The browser sends a request to the server with the cookie that has just stored the new data, and finally belarus whatsapp phone number determines the status based on the content of the cookie.
However, it was mentioned in the previous paragraph that cookies are not encrypted during transmission and are easily tampered with, so this problem must be solved.
Solution 1
All session states stored in cookies are encrypted, and this method of storing all session states in cookies is called cookie-based session. However, the disadvantage is that cookies have a limited storage size. If the encrypted content is larger than the storage limit, There is no way for the browser to save the size.
Solution 2
The identity is determined through the Session ID. When the Server sets the Cookie, it only stores the Session ID in the Cookie and other statuses are stored in the Server. After this, the requests and other actions only need to determine whether there is a Session. ID to find the Session to obtain more information or create a new set of Session and Session ID.
Small tidying up
The method that can implement the Session mechanism is not just the common Cookie, you can also use the URL mentioned in the text, but it is more inconvenient and secure compared to the Cookie method.
Session stores data on the server side, while Cookie stores data on the user side. Therefore, it is safer to store important data in the Session and then use the Session ID stored in the Cookie to determine the identity data.