CN110445744B - Data processing method and device - Google Patents
Data processing method and device Download PDFInfo
- Publication number
- CN110445744B CN110445744B CN201810409871.7A CN201810409871A CN110445744B CN 110445744 B CN110445744 B CN 110445744B CN 201810409871 A CN201810409871 A CN 201810409871A CN 110445744 B CN110445744 B CN 110445744B
- Authority
- CN
- China
- Prior art keywords
- cookie
- user
- information
- upgrading
- website
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The application discloses a data processing method, which comprises the following steps: receiving a user access request; obtaining a cookie from the access request; determining a login state of the user based on the cookie; and performing identity authentication on the user according to the login state and the cookie. The problem that user experience is reduced due to the fact that all users of a website log in to authenticate identities when cookie upgrading is required is solved.
Description
Technical Field
The application relates to the technical field of security, in particular to a data processing method. The application also relates to a data processing device.
Background
Many websites provide customized information to users, provide a more friendly, cultural browsing environment for users browsing websites, and facilitate website analysis, cookie technology is commonly used, for example, to allow users to customize the appearance of web pages, change the content, layout, and color of web pages; allowing the user to set the columns, etc. according to personal preferences. By using the cookie technology, even if a proxy server, a cache and the like exist, the website can be helped to identify the user, specify different security policies and marketing policies according to different visitors, and help to identify whether the user is a new visitor or a previous visitor and accurately count the number of visitors, for example, after the user logs in, the website establishes a unique ID for each visitor and plants a cookie representing the identity of the user on the browser of the user, and then although the user does not log in, the website can identify the user according to the cookie carried by each visit, so that the number of people who visit the website is new (namely, the first visit) and the number of old users can be determined. The website generally identifies the user according to whether the cookie exists in the access request, and if the cookie does not exist, the user is considered to be a new user, so that the attack behavior that an attacker intentionally removes the cookie to disguise the new user has no resistance, and a security risk exists.
The existing website security scheme for preventing cookie from clearing and disguising new user attack generally adopts forced registration or login of a user which does not record cookies on a server, so that the problem that an attacker intentionally clears cookies to disguise the attack behavior of a new user is solved.
The prior technical scheme for preventing cookie from clearing the attack of disguised new users has the following problems: all users of the website are required to log in after the cookie is updated, and the updating or updating cost is huge due to the sacrifice of user experience.
Disclosure of Invention
The application provides a data processing method to solve the problem that cookie upgrading requires that all users of a website log in to authenticate identities, so that user experience is reduced.
The application provides a data processing method, which comprises the following steps:
receiving a user access request;
obtaining a cookie from the access request;
determining a login status of a user based on the cookie;
and performing identity authentication on the user according to the login state and the cookie.
Optionally, performing identity authentication on the user according to the login state and the cookie, including:
judging whether the user is a logged-on user or not; if yes, updating the cookie or updating the cookie according to the logged user identity information;
And if not, acquiring the identity information in the cookie, and performing identity authentication.
Optionally, the determining the user login state includes determining whether the user is a logged-in user according to token information carried in the access request; and the token is a login token carried by a cookie or a public parameter of the access request.
Optionally, the performing identity authentication includes:
judging whether the identity information can prove the identity of the user;
and performing identity authentication according to the judgment result and a preset upgrading strategy.
Optionally, the performing identity authentication according to the judgment result and a predetermined upgrade policy includes:
if the judgment result is yes, obtaining the upgrading state information from the cookie, and performing identity authentication according to the upgrading state and a preset upgrading strategy.
Optionally, the performing identity authentication according to the upgrade status and a predetermined upgrade policy includes:
judging whether the cookie needs to be updated or not according to the preset updating strategy if the obtained updating state information indicates that the website or the server or the cookie is in updating;
if yes, requiring the user to log in for identity authentication and upgrading the cookie;
If not, trusting the cookie information, and updating the cookie according to the user identity in the cookie.
Optionally, the performing identity authentication according to the upgrade status and a predetermined upgrade policy includes:
and if the upgrade state information is not acquired or the upgrade state information does not indicate that the website or the server or the cookie is in the upgrade process, trusting the identity information and updating the cookie by using the identity information.
Optionally, the upgrade state information is state information of the website server when the cookie is generated.
Optionally, the upgrade status information and/or the identity information is encrypted information.
Optionally, the performing identity authentication according to the judgment result and a predetermined upgrade policy includes:
if the judgment result is negative, further judging whether the website is upgrading the cookie;
if the website is upgrading the cookie, issuing the upgraded cookie;
and if the website is not upgrading the cookie, the user is required to log in for identity authentication.
Optionally, the predetermined upgrade policy is a policy of whether to upgrade the cookie in a scenario where the user identity is not strongly required, and includes:
determining according to the website upgrading period, and after the website upgrading period is finished, accessing the website again by the user who does not finish cookie upgrading and needing cookie upgrading; alternatively, the first and second electrodes may be,
And appointing a settable cookie updated user number threshold value or a cookie non-updated user number threshold value according to manual experience, wherein the cookie needs to be updated by the user who accesses the website and meets the threshold condition.
Optionally, the cookie is generated by the website server by the following method:
adding salt aiming at the cookie ciphertext, and then carrying out hash;
and generating the cookie based on the hash result and the cookie ciphertext.
Optionally, the cookie ciphertext is a ciphertext formed by encrypting according to the identity information of the user on the website and the random information.
Optionally, the salt is a random value randomly generated by the system.
The present application also provides a data processing apparatus, comprising:
the request processing unit is used for receiving a user access request;
a cookie obtaining unit, configured to obtain a cookie from the access request;
a login state determination unit for determining a login state of the user based on the cookie;
and the authentication unit is used for performing identity authentication on the user according to the login state and the cookie.
Compared with the prior art, the method has the following advantages:
according to the data processing method and device, the user access request is received; obtaining a cookie from the access request; determining a login state of the user based on the cookie; and after the cookie at the server side is upgraded, reliably identifying the user in the non-login state according to the cookie and the upgrading strategy in the access request, not requiring all users of the website to login and authenticate the identity, and avoiding the attack behavior that an attacker uses an upgrading period to remove the cookie to disguise a new user by lower user experience loss, thereby solving the problem that the user experience is reduced because all users of the website are required to login by the cookie upgrading.
Drawings
Fig. 1 is a processing flow chart of a data processing method provided in an embodiment of the present application;
fig. 2 is a flowchart of processing a user login cookie included in a data processing method according to an embodiment of the present application;
fig. 3 is a schematic diagram of a data processing apparatus according to the present application.
Detailed Description
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present application. This application is capable of implementation in many different ways than those herein set forth and of similar import by those skilled in the art without departing from the spirit of this application and is therefore not limited to the specific implementations disclosed below.
The application provides a data processing method. The application also relates to a data processing device. Details are described in the following examples one by one.
An embodiment of the present application provides a data processing method.
An embodiment of a data processing method provided in the present application is described below with reference to fig. 1 to 2. Fig. 1 is a processing flow chart of a data processing method provided in an embodiment of the present application; fig. 2 is a flowchart of processing a user login cookie included in a data processing method according to an embodiment of the present application.
The data processing method provided by the embodiment of the present application is related to cookies, and for convenience of understanding, a cookie technology is first briefly described. Cookie technology is commonly used for many web sites because the web sites mostly transfer data through the HTTP protocol, but HTTP is a stateless protocol, and the web server does not know the user identity (i.e. cannot maintain the user session) from the network connection alone, and the cookie technology enables the web server to identify the user identity and identify the session, for example, by using a cookie-based session management method: after the user logs in successfully, a unique cookie mark is set to identify the session, user authorization is carried out based on the mark, and the session is considered to be in a login state as long as the request carries the mark.
The so-called cookie (or cookies) technology is a technology that enables a web server to store a small amount of data in a hard disk or a memory of a client, or to read data from the hard disk of the client; a cookie is actually a small text file, typically generated by a web server, sent in response to a client browser, stored by the client browser, e.g. on a hard disk, which cannot be executed as code per se, does not transmit viruses, and can only be read by the server that provides it, and the stored pieces of information are stored in the form of name-value pairs (also called key-value pairs or key-value pairs), a "name/value" pair being merely a piece of named data. Generally, the content in the cookie is encrypted, and the website can only obtain the information stored in the computer, but cannot obtain the information from other cookie files. The server may modify the contents of the cookie as needed. cookies are also used to provide personalized customization to users and to track user behavior, such as shopping cart functionality for shopping sites or to record whether a local site has been visited, in addition to HTTP protocol session management. It should be noted that, besides the browser, other client applications may also use cookies to implement similar functions, so that the client mentioned in the embodiment of the present application is not limited to the browser.
The data processing method shown in fig. 1 includes: steps S101 to S104.
Step S101, receiving a user access request.
The website generally considers that a new user is in a request without a cookie, an attacker often uses the point to intentionally remove the cookie so as to disguise that the new user attacks the website, and the website often adopts forced registration or login of the user which does not record the cookie on a server side in order to solve the attack, but the following problems are brought: all users of the website are required to log in after the cookie is updated, and the updating or updating cost is huge due to the sacrifice of user experience. According to the data processing method provided by the embodiment of the application, the user is reliably identified according to the cookie in the access request and the upgrading strategy, and all users in the website are not required to log in the authentication identity after the cookie is upgraded, so that the user experience loss caused by cookie upgrading is reduced.
The cookie upgrading refers to changing the organization structure and attributes of cookies due to business requirements and security requirements. cookie upgrades are often based on three reasons: firstly, the business needs to add a new field into the cookie; secondly, security reinforcement is carried out on the current cookie; in addition, whether the cookie is used or not is changed during the operation of the website, for example, the cookie is not used when the website is put into use, and then the cookie is newly used due to the service requirement.
This step receives an access request from a client. Specifically, the client is a browser or other client application, and the user accesses the web server through the client.
In the embodiment of the present application, the access request refers to an HTTP or HTTPs request, that is, a client and a server transmit data through HTTP or HTTPs. For example, when a user accesses a website, a client side initiates an HTTP access request to a server, the user is a new user, the server generates a cookie to record the user state, and issues the cookie to a client browser through an HTTP response; the client browser stores the cookie, such as on a hard disk, and when the browser requests to access the website again, the browser submits the requested website together with the cookie to a server through an HTTP access request, and the cookie is carried in an HTTP header; the server reads Cookie information from the HTTP header of the access request, checks the Cookie and takes corresponding actions, such as setting personalized customization information, displaying a welcome banner on the page, or allowing direct login without entering a user ID, password, etc. The following are examples of the server setting a cookie for the browser's HTTP Response (HTTP Response) and the browser carrying a cookie for the server-initiated HTTP Request (HTTP Request), respectively (cookie information is not encrypted):
(1) HTTP Response from server to browser
HTTP/1.1 200OK
Content-type:text/html
Set-Cookie:name=test
Set-Cookie:name2=test2;Expires=Fri,09February 2018 15:18:18 GMT;
(2) The browser sends the HTTP Request to the server again:
Host:www.test.org
Cookie:name1=test1;name2=test2
Accept:*/*;
the HTTP header may carry more than one cookie, and the information used to generate the cookie is generally a user ID, a password, a browsed web page, a staying time, and the like, and the server generates a string of values according to the information.
In the embodiment of the present application, the access request carries a cookie, and the cookie is composed of the following attributes: name (name), value (value), valid domain (domain), path (path of domain, "\\" indicates setting to global), expiration time (expire), security flag (secure), cookie is read from hard disk or memory by browser (or client), cookie submitted in access request only submits name-value attribute, other attribute of cookie is not submitted, for example, expire attribute is included when server sets cookie, and is only used by browser to judge whether cookie is expired, and attribute is not submitted when accessing again.
And step S102, obtaining the cookie from the access request.
This step is to retrieve a cookie from the access request to determine the user's login status based on the cookie.
In the embodiment of the application, the cookie is a tracking item, and in other embodiments, other data can be used as the tracking item, and the login state of the user is determined based on the tracking item.
In the embodiment of the application, the cookie issued by the server is processed through encryption and a hash algorithm, and an HttpOnly attribute and a Secure attribute are set, so that the security is improved. Specifically, the website server is generated by the following method:
adding salt aiming at the cookie ciphertext, and then carrying out hash;
and generating the cookie based on the hash result and the cookie cryptograph.
The cookie ciphertext is formed by encrypting according to identity information and random information of a user on a website, and thus the cookie value cannot be predicted and forged by an attacker through encryption and Hash algorithm processing twice, for example, character string splicing is performed on the identity information and the random information of the user on the website, the spliced information is encrypted by adopting an AES (advanced encryption standard) encryption algorithm to generate the cookie ciphertext, then after salt is added to the cookie ciphertext, MD5 Hash calculation or SHA-256 Hash calculation is performed again to obtain a Hash calculation result of the cookie ciphertext, then the cookie ciphertext and the Hash calculation result of the cookie ciphertext are spliced to generate a cookie for a client, and a server stores the salt value for use when the cookie is issued to check the identity of the user carried when the user access request is received; the AES Encryption algorithm (AES for short) is a symmetric Encryption algorithm, that is, the same key is used for Encryption and decryption; MD5 and SHA-256 (short for SHA) are two kinds of one-way Hash algorithms with different strengths, i.e. calculating a character string (also called a message digest) with a fixed length corresponding to a digital message. The salt is a random value randomly generated by the system.
Therefore, when the server receives the access request of the user and takes out the cookie for processing, the server also needs to process the cookie ciphertext by adopting a corresponding reverse process. For example, following the above example of generating a cookie, the server generates and issues a cookie to the client, and stores a salt value used to generate the cookie, and then, after receiving an access request from the client, the server performs MD5 or SHA-256 hash calculation (corresponding to the hash algorithm used when generating the cookie), using the cookie ciphertext and the salt value, and determines whether the calculation result is the same as the hash value carried in the cookie, and if so, further performs AES decryption using the AES key stored in the server, and extracts the user identity from the information after decryption. Because the salt is only stored in the server, an attacker cannot successfully forge the hash value obtained by adding the salt to the cookie ciphertext, the ciphertext submitted by the client can be generated by the server, and the server can trust the cookie. In addition, the purpose of setting the HttpOnly attribute and the Secure attribute is to ensure that cookies cannot be stolen by attackers due to security vulnerabilities in the transmission process, wherein the HttpOnly attribute is an additional field of an HTTP response header, the attribute is used when cookies are generated, the risk of accessing and protecting the cookies by client-side scripts is reduced, and the cookie cannot be seen in a document object of a browser and cannot be read by JS scripts, applets and other programs due to the fact that the cookie with the 'HttpOnly' attribute is set; the Secure attribute specifies how a cookie value is transmitted between a user and a Web server through a network, and when the Secure attribute is set to true in the cookie, the created cookie can be transmitted to the server in a Secure manner, that is, the created cookie can be transmitted to the server side for session authentication only in an HTTPS connection by a browser, and if the created cookie value is an HTTP connection, the created cookie value cannot be transmitted to the server side for session authentication, and if the created cookie value is an HTTP connection, the created cookie value cannot be stolen to specific contents of the cookie.
And step S103, determining the login state of the user based on the cookie.
This step determines the user's login status to further take different cookie update or upgrade policies for logged in and non-logged in users.
In the embodiment of the application, the determining of the user login state includes judging whether the user is a logged-in user or not according to token information carried in the access request.
The cookie update means updating the value of a variable included in the cookie according to the user information under the conditions and logic of the current cookie organization structure and attributes. And for the user who does not log in, further determining whether to require login or registration for authentication according to the identity information of the user.
The token is a login token carried by a cookie or a public parameter of the access request, is generally a character string or a large integer, also called token value, and is a value used for identifying a user identity generated by the server according to the information of the user, and the user information includes at least any one of the following information: such as account number, password, identity authentication mechanism; wherein the identity authentication mechanism comprises any of the following information: telephone number, identification card number, payment account number, bank card information, etc. Specifically, after the user successfully logs in for the first time, the server generates a token value, stores the token value in the database, and returns the token value to the client; the client saves the token value in the cookie, and carries the token value in the cookie when sending the access request to the server again; in addition, the client can also store the token value in a sandbox, and the token value is transmitted to the server as a public parameter when sending an access request to the server again; among them, the so-called sandbox is a method for running an application program in a limited security environment, which is to limit the code access authority granted to the application program, for example, a control downloaded to Internet Explorer runs by using an Internet authority set; the common parameter is a parameter required for each network request.
In the embodiment of the application, after receiving an access request of a client, a server extracts a token value from the access request, and compares the token value with a token value stored in a local server or a database; if the two token values are the same, the user is in a login state; if the token value is not obtained or is different, it indicates that the user has not successfully logged in or the original login information is invalid, and the user is an unregistered user.
And step S104, performing identity authentication on the user according to the login state and the cookie.
The method comprises the steps of distinguishing users into logged-in users and logged-out users according to the login states of the users, and adopting different authentication strategies aiming at the logged-out users and the logged-in users.
In the embodiment of the application, whether the user is a logged-on user is judged according to the login state of the user; if yes, updating the cookie or updating the cookie according to the logged user identity information, for example, recording the identity information of the user during logging in at the server side, and updating the cookie by using the identity information, so that after the cookie is updated at the server side, all users are not required to log in again to update the cookie; and if not, acquiring the identity information in the cookie, and performing identity authentication. Wherein the performing identity authentication comprises:
Judging whether the identity information can prove the identity of the user;
and performing identity authentication according to the judgment result and a preset upgrading strategy.
According to an embodiment of the present application, the identity authentication is performed forcibly based on the identity information.
Specifically, in the embodiment of the present application, reference is made to fig. 2 for a process flow of cookie update and update policy for a user. Firstly, judging whether a current user logs in after receiving an access request, tracking the user by the logged user identity, further determining whether to upgrade cookie or update cookie according to whether the system is in an upgrading state or not, and not requiring all users to log in to verify the identity; for the user who does not log in, obtaining the cookie from the received access request and extracting detailed information in the cookie, including user identity information, and then judging whether the identity information can prove the identity of the user; and enforcing the user to perform identity authentication according to the judgment result and a preset enforcement upgrading strategy. Specifically, the judgment basis of whether the identity information carried by the cookie in the access request can prove the identity of the user is that when the server issues the cookie to the client, the userid of the user is stored in the cookie, if AES (advanced encryption standard) symmetric encryption is used, the server can decrypt the userid, the cookie uses encryption and a hash algorithm to ensure that the userid cannot be forged, so that the server trusts the userid in the cookie, if the cookie does not contain the userid information, the identity of the user is considered to be proved, and therefore the server does not need to store the relevant userid information; if userid is encrypted by MD5, because MD5 is irreversible, the server stores the userid value processed by MD5 in a user information data table of a database by using a field, when the server fetches userid from a cookie requested by a client, the userid value is compared with the corresponding value stored in the database, if the userid value is consistent with the corresponding value, the user identity can be proved, otherwise, the user identity cannot be proved.
Preferably, the performing identity authentication according to the judgment result and the predetermined upgrade policy includes: if the judgment result is yes, obtaining the upgrading state information from the cookie, and performing identity authentication according to the upgrading state and a preset upgrading strategy.
Specifically, in the embodiment of the present application, it is determined according to the website upgrade period that a user who does not complete cookie upgrade accesses the website again after the website upgrade period is finished, for example, the period set for the website upgrade cookie is 24 hours, and then an unregistered user who does not complete cookie upgrade after 24 hours accesses the website again, and when the user accesses the website again, for a scene that does not need user identity, such as browsing public data, under the condition that the identity information carried by the cookie can prove the identity of the user, whether to log in the upgrade cookie is required according to the upgrade state and the determination, instead of requiring all users to log in to verify the identity, in the scenario that the cookie does not need user identity. In addition, a settable cookie upgraded user number threshold value or a cookie unemployed user number threshold value can be specified according to manual experience, and the cookie needs to be upgraded by the user who accesses the website and meets the threshold value condition.
In this embodiment, the performing identity authentication according to the upgrade status and a predetermined upgrade policy specifically includes:
judging whether the cookie needs to be updated or not according to the preset updating strategy if the obtained updating state information indicates that the website or the server or the cookie is in updating;
if the cookie needs to be updated according to a preset updating strategy, the user is required to log in for identity authentication, and the cookie is updated;
and if the cookie does not need to be updated according to the preset updating strategy, trusting the cookie information and updating the cookie by the user identity in the cookie. Thus, after the cookie is updated by the server, if the cookie information in the request is determined to be trusted, user login is not required to verify the identity of the user, and therefore, full user login is not required to update the cookie.
In addition, if the upgrade state information is not acquired or the upgrade state information does not indicate that the website or the server or the cookie is in the upgrade process, the identity information is trusted, and the cookie is updated according to the identity information.
The upgrade status information is status information of the web server when the cookie is generated, the status information is stored in the cookie in a cookie way, and is generally protected by encryption, the server needs to decrypt the information when processing the information in the cookie of the access request, and in addition, the identity information is also generally encrypted information.
In the embodiment of the application, if the identity information carried by the cookie in the access request of the unregistered user can not prove the identity of the user, whether the cookie is upgraded or not in a website is further judged;
if the website is upgrading the cookie, issuing the upgraded cookie;
and if the website is not upgrading the cookie, requiring the user to log in for identity authentication.
The data processing method provided by the embodiment of the application is mainly realized at a server side, and meanwhile, the client side is required to support the cookie. In actual deployment, the cookie value is protected through encryption and a Hash algorithm, so that the cookie value is not easy to predict or forge by an attacker; the cookie is not easy to be hijacked by link monitoring by setting the HttpOnly attribute and the Secure attribute; the user is reliably identified according to the user identity information and the upgrading state information carried in the cookie, whether the cookie is upgraded is determined according to the upgrading strategy, all users are not required to log in or register in the cookie upgrading scene, and the user who is not required to carry the cookie can log in or register the authentication identity under the condition that the user experience is not reduced, so that the network security is guaranteed.
Corresponding to the embodiment of the data processing method provided by the application, the application also provides a data processing device.
Referring to fig. 3, a schematic diagram of a data processing apparatus provided according to the present application is shown. Since the device embodiment is basically similar to the method embodiment, the description is relatively simple, and the relevant portions only need to refer to the corresponding description of the method embodiment. The device embodiments described below are merely illustrative.
The data processing apparatus shown in fig. 3 includes:
a request processing unit 301, configured to receive a user access request;
a cookie obtaining unit 302, configured to obtain a cookie from the access request;
a login state determining unit 303, configured to determine a login state of the user based on the cookie;
and an authentication unit 304, configured to perform identity authentication on the user according to the login state and the cookie.
Optionally, the authentication unit 304 is specifically configured to: judging whether the user is a logged-on user or not; if yes, updating the cookie or updating the cookie according to the logged user identity information;
and if not, acquiring the identity information in the cookie, and performing identity authentication.
Optionally, the login status determining unit 303 is specifically configured to determine whether the user is a logged-in user according to token information carried in the access request, where the token is a login token carried by a cookie or a common parameter of the access request.
Optionally, the authentication unit 304 includes an identity determining subunit, configured to determine whether the identity information can prove the identity of the user.
Optionally, the authentication unit 304 includes an upgrade information authentication subunit based on the request, and is configured to receive a determination result of the identity determination subunit, and perform identity authentication according to the determination result and a predetermined upgrade policy, where the authentication unit includes the following processing:
if the judgment result is yes, obtaining the upgrading state information from the cookie, and performing identity authentication according to the upgrading state and a preset upgrading strategy.
Optionally, the update information authentication subunit based on the request is specifically configured to:
judging whether the cookie needs to be updated or not according to the preset updating strategy if the obtained updating state information indicates that the website or the server or the cookie is in updating;
if yes, requiring the user to log in for identity authentication and upgrading the cookie;
if not, trusting the cookie information, and updating the cookie by the user identity in the cookie.
Optionally, the update information authentication subunit based on the request is specifically configured to:
and if the upgrade state information is not acquired or the upgrade state information does not indicate that the website or the server or the cookie is in the upgrade process, trusting the identity information and updating the cookie by using the identity information.
Optionally, the upgrade status information is status information of the website server when the cookie is generated.
Optionally, the upgrade status information and/or the identity information is encrypted information.
Optionally, the authentication unit 304 includes a website upgrade status-based authentication subunit, configured to receive a determination result of the identity determination subunit, and perform identity authentication according to the determination result and a predetermined upgrade policy, and includes:
if the judgment result is negative, further judging whether the website is upgrading the cookie;
if the website is upgrading the cookie, issuing the upgraded cookie;
and if the website is not upgrading the cookie, the user is required to log in for identity authentication.
Optionally, the predetermined upgrade policy is a policy of whether to upgrade the cookie in a scenario where the user identity is not strongly required, and includes:
determining according to the website upgrading period, and after the website upgrading period is finished, accessing the website again by the user who does not finish cookie upgrading and needing cookie upgrading; alternatively, the first and second electrodes may be,
and appointing a settable cookie updated user number threshold value or a cookie non-updated user number threshold value according to manual experience, wherein the cookie needs to be updated by the user who accesses the website and meets the threshold condition.
Optionally, the data processing apparatus includes a cookie generating unit, configured to generate a cookie by the website server by:
adding salt aiming at the cookie ciphertext, and then carrying out hash;
and generating the cookie based on the hash result and the cookie ciphertext.
Optionally, the cookie ciphertext is a ciphertext formed by encrypting according to the identity information of the user on the website and the random information.
Optionally, the salt is a random value randomly generated by the system.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
1. Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer readable media does not include non-transitory computer readable media (transient media), such as modulated data signals and carrier waves.
2. As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Although the present application has been described with reference to the preferred embodiments, it is not intended to limit the present application, and those skilled in the art can make variations and modifications without departing from the spirit and scope of the present application, therefore, the scope of the present application should be determined by the claims that follow.
Claims (14)
1. A data processing method, comprising:
receiving a user access request;
obtaining a cookie from the access request;
determining a login state of the user based on the cookie;
judging whether the user is a logged-on user or not;
if yes, updating the cookie or updating the cookie according to the logged user identity information;
If not, determining that the user is a non-login user, and performing identity authentication on the user according to the cookie and a preset cookie upgrading strategy.
2. The method according to claim 1, wherein the determining the user login status comprises determining whether the user is a logged-in user according to token information carried in the access request; and the token is a login token carried by a cookie or a public parameter of the access request.
3. The method of claim 1, wherein authenticating the user according to the cookie and a predetermined cookie upgrade policy comprises:
acquiring the identity information in the cookie, and judging whether the identity information can prove the identity of the user;
and performing identity authentication according to the judgment result and the preset cookie upgrading strategy.
4. The method of claim 3, wherein the performing identity authentication according to the determination result and the predetermined cookie upgrading policy comprises:
if the judgment result is yes, obtaining the upgrading state information from the cookie, and performing identity authentication according to the upgrading state and a preset cookie upgrading strategy.
5. The method of claim 4, wherein the authenticating identity according to the upgrade status and a predetermined cookie upgrade policy comprises:
judging whether the cookie needs to be updated or not according to the preset cookie updating strategy if the updating state information is obtained and indicates that the website or the server or the cookie is in updating;
if yes, the user is required to log in for identity authentication, and the cookie is updated;
if not, trusting the cookie information, and updating the cookie according to the user identity in the cookie.
6. The method of claim 4, wherein the authenticating identity according to the upgrade status and a predetermined cookie upgrade policy comprises:
and if the upgrade state information is not acquired or the upgrade state information does not indicate that the website or the server or the cookie is in the upgrade process, trusting the identity information and updating the cookie by using the identity information.
7. The method of claim 4, wherein the upgrade status information is status information of a website server when the cookie is generated.
8. The method of claim 4, wherein the upgrade status information and/or the identity information is encrypted information.
9. The method of claim 3, wherein the performing identity authentication according to the determination result and the predetermined cookie upgrading policy comprises:
if the judgment result is negative, further judging whether the website is upgrading the cookie;
if the website is upgrading the cookie, issuing the upgraded cookie;
and if the website is not upgrading the cookie, the user is required to log in for identity authentication.
10. The method according to any one of claims 3 to 9, wherein the predetermined cookie upgrading policy is a policy of whether to upgrade cookies in a non-strong user identity scenario, and includes:
determining according to the website upgrading period, and after the website upgrading period is finished, accessing the website again by the user who does not finish cookie upgrading and needing cookie upgrading; alternatively, the first and second electrodes may be,
and appointing a settable cookie updated user number threshold value or a cookie non-updated user number threshold value according to manual experience, wherein the cookie needs to be updated by the user who accesses the website and meets the threshold condition.
11. The method of claim 1, wherein the cookie is generated by the web server by:
adding salt aiming at the cookie ciphertext, and then carrying out hash;
And generating the cookie based on the hash result and the cookie ciphertext.
12. The method of claim 11, wherein the cookie cryptogram is a cryptogram formed by encrypting according to identity information of the user on the website and random information.
13. The method of claim 11, wherein the salt is a random value randomly generated by the system.
14. A data processing apparatus, comprising:
the request processing unit is used for receiving a user access request;
a cookie obtaining unit, configured to obtain a cookie from the access request;
a login state determination unit for determining a login state of the user based on the cookie;
the authentication unit is used for judging whether the user is a logged-in user or not; if yes, updating the cookie or updating the cookie according to the logged user identity information; if not, determining that the user is a non-login user, and performing identity authentication on the user according to the cookie and a preset cookie upgrading strategy.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810409871.7A CN110445744B (en) | 2018-05-02 | 2018-05-02 | Data processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810409871.7A CN110445744B (en) | 2018-05-02 | 2018-05-02 | Data processing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110445744A CN110445744A (en) | 2019-11-12 |
| CN110445744B true CN110445744B (en) | 2022-06-28 |
Family
ID=68427632
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810409871.7A Active CN110445744B (en) | 2018-05-02 | 2018-05-02 | Data processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110445744B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112839016B (en) * | 2019-11-25 | 2023-03-21 | 上海哔哩哔哩科技有限公司 | Session control method and device |
| CN111385313B (en) * | 2020-05-28 | 2020-09-11 | 支付宝(杭州)信息技术有限公司 | Method and system for verifying object request validity |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101114294A (en) * | 2007-08-22 | 2008-01-30 | 杭州经合易智控股有限公司 | Self-help intelligent uprightness searching method |
| CN102316080A (en) * | 2010-06-30 | 2012-01-11 | 百度在线网络技术(北京)有限公司 | Function for supporting anonymous verification of central authentication service in same master domain |
| CN102932353A (en) * | 2012-11-02 | 2013-02-13 | 北京奇虎科技有限公司 | Method and device for preventing malicious attacks |
| CN103023917A (en) * | 2012-12-26 | 2013-04-03 | 百度在线网络技术(北京)有限公司 | Method, system and device for authorization aiming at intelligent household electrical appliance |
| CN103532920A (en) * | 2012-07-06 | 2014-01-22 | 腾讯科技(深圳)有限公司 | Cookie update method and cookie update system |
| CN105430012A (en) * | 2015-12-25 | 2016-03-23 | 无锡天脉聚源传媒科技有限公司 | Method and device for synchronously logging in multiple sites |
| CN105678127A (en) * | 2014-11-21 | 2016-06-15 | 阿里巴巴集团控股有限公司 | Verification method and device for identity information |
| CN106489145A (en) * | 2015-12-28 | 2017-03-08 | 华为技术有限公司 | The access method of web site, device and Web site system |
| CN106549760A (en) * | 2015-09-16 | 2017-03-29 | 阿里巴巴集团控股有限公司 | Auth method and device based on cookie |
| CN106790635A (en) * | 2017-01-06 | 2017-05-31 | 聚好看科技股份有限公司 | Cookie information management method and server |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9203818B1 (en) * | 2012-08-23 | 2015-12-01 | Amazon Technologies, Inc. | Adaptive timeouts for security credentials |
-
2018
- 2018-05-02 CN CN201810409871.7A patent/CN110445744B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101114294A (en) * | 2007-08-22 | 2008-01-30 | 杭州经合易智控股有限公司 | Self-help intelligent uprightness searching method |
| CN102316080A (en) * | 2010-06-30 | 2012-01-11 | 百度在线网络技术(北京)有限公司 | Function for supporting anonymous verification of central authentication service in same master domain |
| CN103532920A (en) * | 2012-07-06 | 2014-01-22 | 腾讯科技(深圳)有限公司 | Cookie update method and cookie update system |
| CN102932353A (en) * | 2012-11-02 | 2013-02-13 | 北京奇虎科技有限公司 | Method and device for preventing malicious attacks |
| CN103023917A (en) * | 2012-12-26 | 2013-04-03 | 百度在线网络技术(北京)有限公司 | Method, system and device for authorization aiming at intelligent household electrical appliance |
| CN105678127A (en) * | 2014-11-21 | 2016-06-15 | 阿里巴巴集团控股有限公司 | Verification method and device for identity information |
| CN106549760A (en) * | 2015-09-16 | 2017-03-29 | 阿里巴巴集团控股有限公司 | Auth method and device based on cookie |
| CN105430012A (en) * | 2015-12-25 | 2016-03-23 | 无锡天脉聚源传媒科技有限公司 | Method and device for synchronously logging in multiple sites |
| CN106489145A (en) * | 2015-12-28 | 2017-03-08 | 华为技术有限公司 | The access method of web site, device and Web site system |
| CN106790635A (en) * | 2017-01-06 | 2017-05-31 | 聚好看科技股份有限公司 | Cookie information management method and server |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110445744A (en) | 2019-11-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11831642B2 (en) | Systems and methods for endpoint management | |
| EP1379045B1 (en) | Arrangement and method for protecting end user data | |
| US10778668B2 (en) | HTTP session validation module | |
| Kiljan et al. | A survey of authentication and communications security in online banking | |
| US10554406B1 (en) | Authorized data sharing using smart contracts | |
| US11200334B2 (en) | Data sharing via distributed ledgers | |
| CN112532599B (en) | Dynamic authentication method, device, electronic equipment and storage medium | |
| JP2016516250A (en) | Recoverable and recoverable dynamic device identification | |
| JP2023096089A (en) | Pseudonym event certification by group signature | |
| CN110445744B (en) | Data processing method and device | |
| EP4162647B1 (en) | Anonymous authentication with token redemption | |
| JP7389235B2 (en) | Anonymous event authentication | |
| Fett | FAPI 2.0: A high-security profile for OAuth and OpenID connect | |
| CN108737331B (en) | Cross-domain communication method and cross-domain communication system | |
| US20230275927A1 (en) | Securing web browsing on a managed user device | |
| US20230239324A1 (en) | Securing web browsing on a managed user device | |
| US20230237171A1 (en) | Securing web browsing on a managed user device | |
| US11849041B2 (en) | Secure exchange of session tokens for claims-based tokens in an extensible system | |
| Singh et al. | Loop Holes in Cookies and Their Technical Solutions for Web Developers | |
| Qiu et al. | An Empirical Study of OAuth-Based SSO System on Web | |
| CN114357397A (en) | Method and system for logging in system by user | |
| GB2590520A (en) | Data sharing via distributed ledgers | |
| Ollmann | Best Practice in Managing HTTP-Based Client Sessions | |
| CN117957813A (en) | Security management system and security management method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40016262 Country of ref document: HK |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |