关于session

作者: 晚来天欲雨 | 来源:发表于2018-04-17 14:25 被阅读0次

PHP Session
2018-05-23
关于session
从session、cookie到token以及JWT
关于认证和鉴权的思考
connect-redis
Phoenix/Elixir用户认证系统
对于cookie和session的总结
Tomcat Session管理分析
scrapy 关于session

先清除浏览器的cookie，然后打开DVWA并抓包，发现此时浏览器发出的请求中是不带有session id的：
GET / HTTP/1.1
Host: 192.168.180.128:2333
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
该请求得到的response为：
HTTP/1.1 302 Found
Date: Tue, 17 Apr 2018 06:01:40 GMT
Server: Apache/2.4.18 (Ubuntu)
Set-Cookie: PHPSESSID=qk84l7glm7qgck0aebi0gmpue4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: PHPSESSID=qk84l7glm7qgck0aebi0gmpue4; path=/; HttpOnly
Set-Cookie: security=impossible; HttpOnly
Location: login.php
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
可以看到服务器返回的数据中带上了session id，说明此session id是服务器产生并发送给浏览器的。
session id：qk84l7glm7qgck0aebi0gmpue4
然后浏览器发送的GET请求中就带上了这个session id：
GET /login.php HTTP/1.1
Host: 192.168.180.128:2333
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=qk84l7glm7qgck0aebi0gmpue4; security=impossible
Connection: close
输入用户名和密码之后，浏览器发出的POST请求为：
POST /login.php HTTP/1.1
Host: 192.168.180.128:2333
Content-Length: 88
Cache-Control: max-age=0
Origin: http://192.168.180.128:2333
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8
Referer: http://192.168.180.128:2333/login.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=qk84l7glm7qgck0aebi0gmpue4; security=impossible
Connection: close

username=admin&password=password&Login=Login&user_token=ae346fee479c2d5f7f0c8c80fc4f9a65

此处的user_token为：ae346fee479c2d5f7f0c8c80fc4f9a65

再发出几次请求后，user token发生了变化：
POST /security.php HTTP/1.1
Host: 192.168.180.128:2333
Content-Length: 78
Cache-Control: max-age=0
Origin: http://192.168.180.128:2333
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8
Referer: http://192.168.180.128:2333/security.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=qk84l7glm7qgck0aebi0gmpue4; security=impossible
Connection: close

security=high&seclev_submit=Submit&user_token=a69e4f83d036dbf9f22cb49a96783fdc

网友评论

我爱编程

本文标题：关于session

本文链接：https://www.haomeiwen.com/subject/yvoukftx.html

延伸阅读

深度阅读

您也可以注册成为美文阅读网的作者，发表您的原创作品、分享您的心情！

关于session

相关文章

PHP Session

2018-05-23

关于session

从session、cookie到token以及JWT

关于认证和鉴权的思考

connect-redis

Phoenix/Elixir用户认证系统

对于cookie和session的总结

Tomcat Session管理分析

scrapy 关于session

网友评论

延伸阅读

深度阅读

栏目导航

热点阅读

我爱编程