CN111343191B - Session checking method and device, storage medium and electronic device - Google Patents

Session checking method and device, storage medium and electronic device Download PDF

Info

Publication number
CN111343191B
CN111343191B CN202010149312.4A CN202010149312A CN111343191B CN 111343191 B CN111343191 B CN 111343191B CN 202010149312 A CN202010149312 A CN 202010149312A CN 111343191 B CN111343191 B CN 111343191B
Authority
CN
China
Prior art keywords
authentication information
target application
session
token
sessionid
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010149312.4A
Other languages
Chinese (zh)
Other versions
CN111343191A (en
Inventor
马亚奇
雷学列
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Dahua Technology Co Ltd
Original Assignee
Zhejiang Dahua Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Dahua Technology Co Ltd filed Critical Zhejiang Dahua Technology Co Ltd
Priority to CN202010149312.4A priority Critical patent/CN111343191B/en
Publication of CN111343191A publication Critical patent/CN111343191A/en
Application granted granted Critical
Publication of CN111343191B publication Critical patent/CN111343191B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Abstract

The invention provides a session verification method and device, a storage medium and an electronic device, wherein the method comprises the following steps: verifying first authentication information carried by a target application during the Nth login, wherein the first authentication information comprises first session control identification information sessionID and first token identification information tokenID, and N is a natural number greater than 1; and under the condition that the first authentication information is verified to pass, returning second authentication information to the target application, wherein the second authentication information comprises second session control identification information sessionID and second token identification information tokenID, and the second authentication information is used for verifying the login of the target application for the (N + 1) th time. The invention solves the problem of Session attack in the Session process in the related technology and achieves the effect of preventing fixed Session attack.

Description

Session checking method and device, storage medium and electronic device
Technical Field
The present invention relates to the field of communications, and in particular, to a session verification method and apparatus, a storage medium, and an electronic apparatus.
Background
In the prior art, when a Session is verified, whether the Session is utilized by an unauthorized User is mainly verified and authenticated through a client combination, and when a client Internet Protocol (IP) or a User-Agent is changed, Session information is timely destroyed and cleared, and the client is forced to re-authenticate and log in so as to improve the security. However, for Session visualization attacks and CSRF attacks, the authentication process has certain security risks.
In view of the above technical problems, no effective solution has been proposed in the related art.
Disclosure of Invention
The embodiment of the invention provides a Session verification method and device, a storage medium and an electronic device, which are used for at least solving the problem of Session attack in a Session process in the related technology.
According to an embodiment of the present invention, there is provided a session check method including: checking first authentication information carried by a target application during the Nth login, wherein the first authentication information comprises first session control identification information sessionID and first token identification information tokenID, and N is a natural number greater than 1; returning second authentication information to the target application under the condition that the first authentication information passes verification, wherein the second authentication information comprises second session control identification information sessionID and second token identification information tokenID, and the second authentication information is used for verifying the N +1 th login of the target application; the first authentication information and the second authentication information are both used for detecting whether a session between the target application and a target device is abnormal.
According to another embodiment of the present invention, there is provided a session check apparatus including: the first verification module is used for verifying first authentication information carried by the target application during the Nth login, wherein the first authentication information comprises first session control identification information sessionID and first token identification information tokenID, and N is a natural number greater than 1;
a first returning module, configured to return second authentication information to the target application when the first authentication information is verified, where the second authentication information includes second session control identification information sessionID and second token identification information tokenID, and the second authentication information is used to verify that the target application is logged in for the (N + 1) th time;
the first authentication information and the second authentication information are both used for detecting whether a session between the target application and a target device is abnormal.
Optionally, the apparatus further comprises:
and the second returning module is used for returning the first authentication information to the target application under the condition that the target application is determined not to carry an account and a password during the N-1 login before the first authentication information carried by the target application during the Nth login is verified.
Optionally, the first verification module includes:
a first obtaining unit configured to obtain the first sessionID and the first token id from the first authentication information;
a first generating unit, configured to generate a first digest value using the first sessionID and the attribute information on the target device;
and the first comparison module is used for comparing the first abstract value with the first token ID so as to verify first authentication information carried by the target application during the Nth login.
Optionally, the apparatus further comprises one of:
a first determining module, configured to determine that the second authentication information is returned to the target application by checking the first authentication information when the first digest value is the same as the first token id;
a second determining module, configured to determine that a session between the target application and the target device is abnormal when the first digest value is different from the first token id.
Optionally, the apparatus further comprises:
and the second verification module is used for verifying the second authentication information after returning the second authentication information to the target application under the condition that the first authentication information passes verification, wherein the second authentication information also comprises an account and a password of the target application.
Optionally, the second check module includes:
a first obtaining unit configured to obtain the second sessionID and the second token id from the second authentication information;
a second generating unit, configured to generate a second digest value using the second sessionID and the attribute information on the target device;
a second comparing unit, configured to compare the second digest value with the second token id, so as to verify the second authentication information.
Optionally, the apparatus further comprises one of:
a second returning module, configured to determine that the second authentication information passes verification of the second authentication information and return the second authentication information to the target application when the second digest value is the same as the second token id;
a third determining module, configured to determine that a session between the target application and the target device is abnormal when the second digest value is different from the second token id.
According to a further embodiment of the present invention, there is also provided a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.
According to yet another embodiment of the present invention, there is also provided an electronic device, including a memory in which a computer program is stored and a processor configured to execute the computer program to perform the steps in any of the above method embodiments.
According to the invention, the verification target is applied to the first authentication information carried in the Nth login, wherein the first authentication information comprises the first session control identification information sessionID and the first token identification information tokenID, and N is a natural number greater than 1; under the condition that the first authentication information is verified to pass, returning second authentication information to the target application, wherein the second authentication information comprises second session control identification information sessionID and second token identification information tokenID, and the second authentication information is used for verifying the login of the target application for the (N + 1) th time; the first authentication information and the second authentication information are used for detecting whether a session between the target application and the target device is abnormal or not. The method comprises the steps of preventing RPC requests from being forged through validity check and mutual check of Session and Token information; fixed Session attack is prevented by regenerating a pair of Session and Token authentication information after authentication login. Therefore, the problem of Session attack in the Session process in the related technology can be solved, and the effect of preventing fixed Session attack is achieved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
fig. 1 is a block diagram of a hardware structure of a mobile terminal of a session check method according to an embodiment of the present invention;
FIG. 2 is a flow diagram of a session check method according to an embodiment of the invention;
FIG. 3 is a flow diagram of logging into a device according to an embodiment of the invention;
FIG. 4 is a flow diagram of session verification according to an embodiment of the present invention;
fig. 5 is a block diagram of a structure of a session check apparatus according to an embodiment of the present invention.
Detailed Description
The invention will be described in detail hereinafter with reference to the accompanying drawings in conjunction with embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
The method provided by the first embodiment of the present application may be executed in a mobile terminal, a computer terminal, or a similar computing device. Taking the example of running on a mobile terminal, fig. 1 is a hardware structure block diagram of the mobile terminal of a session verification method according to an embodiment of the present invention. As shown in fig. 1, the mobile terminal 10 may include one or more (only one shown in fig. 1) processors 102 (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA) and a memory 104 for storing data, and optionally may also include a transmission device 106 for communication functions and an input-output device 108. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration, and does not limit the structure of the mobile terminal. For example, the mobile terminal 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be used to store a computer program, for example, a software program and a module of an application software, such as a computer program corresponding to the session check method in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the computer program stored in the memory 104, so as to implement the method described above. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some instances, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the mobile terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the mobile terminal 10. In one example, the transmission device 106 includes a Network adapter (NIC), which can be connected to other Network devices through a base station so as to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
In this embodiment, a session check method is provided, and fig. 2 is a flowchart of the session check method according to the embodiment of the present invention, as shown in fig. 2, the flowchart includes the following steps:
step S202, checking first authentication information carried by the target application during the Nth login, wherein the first authentication information comprises first session control identification information sessionID and first token identification information tokenID, and N is a natural number greater than 1;
optionally, the present embodiment includes, but is not limited to, being applied to an identification scenario of a webpage Web application system SessionID attack. The target application includes, but is not limited to, a browser. For example, when a client such as a browser authenticates and logs in a target device, the target device authentication and login system generates SessionID information and Token information, and stores the SessionID information and the Token information in the Cookie and the request message respectively, and the target device verifies the SessionID and the Token.
Alternatively, the target device includes, but is not limited to, a Digital Video Recorder (DVR for short), a Network Video Recorder (NVR for short).
Optionally, in this embodiment, the first authentication information further includes an account and a password of the target application.
By the method, Session initiation attack and CSRF attack can be prevented, service requests can be prevented from being forged, and Session attack can be prevented, so that system security can be improved.
Step S204, returning second authentication information to the target application under the condition that the first authentication information is verified to be passed, wherein the second authentication information comprises second session control identification information sessionID and second token identification information tokenID, and the second authentication information is used for verifying the N +1 th login of the target application;
the first authentication information and the second authentication information are used for detecting whether a session between the target application and the target device is abnormal or not.
Optionally, in this embodiment, the second authentication information further includes an account and a password of the target application.
Optionally, the second authentication information is updated first authentication information, and the first authentication information and the second authentication information are not the same.
Optionally, the execution subject of the above steps may be a terminal, etc., but is not limited thereto.
Through the steps, the verification target is applied to the first authentication information carried in the Nth login, wherein the first authentication information comprises the first session control identification information sessionID and the first token identification information tokenID, and N is a natural number greater than 1; under the condition that the first authentication information is verified to pass, returning second authentication information to the target application, wherein the second authentication information comprises second session control identification information sessionID and second token identification information tokenID, and the second authentication information is used for verifying the login of the target application for the (N + 1) th time; the first authentication information and the second authentication information are used for detecting whether a session between the target application and the target device is abnormal or not. The method comprises the steps of preventing RPC requests from being forged through validity check and mutual check of Session and Token information; fixed Session attacks are prevented by regenerating a pair of Session and Token authentication information after authentication login. Therefore, the problem of Session attack in the Session process in the related technology can be solved, and the effect of preventing fixed Session attack is achieved.
In an optional embodiment, before checking the first authentication information carried by the target application at the nth login, the method further includes:
s1, under the condition that the target application is determined not to carry the account and the password during the N-1 login, first authentication information is returned to the target application.
Optionally, in this embodiment, the N-1 st login includes, but is not limited to, the first login of the target device, and does not require using an account number and a password.
Optionally, for example, as shown in fig. 3, the following steps are included:
s301: the client side such as a browser authenticates and logs in the DVR/NVR device, and the client side does not need to use an account number and a password under the condition of first login;
s302: the device responds to the first login of the browser and sends Cookie containing temporary Token information; ) The method comprises the steps that a device sends a message main body containing temporary Session and Token information, and the message main body is respectively stored in a browser message main body and a data Cookie stored on a local terminal of a user;
s303: under the condition that the client logs in for the second time, the client authenticates the login by using the account and the password and carries the Session and Token information at the same time; the equipment checks the validity of Session and Token; the equipment checks account password authentication information; if the device authentication fails, go to S307; if the device authentication is passed, go to S304;
s304: device 2 nd login response: updating Session and Token pairs; the device sends Cookie containing Token information; the equipment sends a message main body containing Session and Token information, wherein the equipment generates a pair of new Session ID + Token ID after successful authentication so as to prevent fixed Session attack;
s305: a client service request carrying Session and Token information; the equipment checks the validity of the Session and Token information, and turns to S307 under the condition that the equipment authentication fails; if the device authentication is passed, go to S306;
s306: a device service response;
s307: and (6) ending.
Through the embodiment, the fixed Session attack can be effectively prevented through the authentication of the Session and Token information. The equipment can verify the authentication information of the sessionID and the tokenID requested each time, and prevent counterfeiting and tampering of the authentication information.
In an optional embodiment, verifying the first authentication information carried by the target application during the nth login includes:
s1, acquiring a first sessionID and a first token ID from the first authentication information;
s2, generating a first abstract value by using the first sessionID and the attribute information on the target device;
s3, the first abstract value is compared with the first token ID to verify the first authentication information carried by the target application during the Nth login.
Optionally, in this embodiment, for example, as shown in fig. 4, the method includes the following steps:
s401: the equipment acquires a first sessionID and first token ID authentication information from client request data;
s402: combining information such as the first sessionID and the device fingerprint on the device to generate a first abstract value;
s403: the equipment compares and verifies the generated abstract value with the TokenID in the client request; if the equipment comparison and verification fails, the process goes to S405; if the equipment comparison and verification are successful, the operation goes to S404;
s404: a device service response;
s405: and (6) ending.
In an optional embodiment, the method further comprises one of:
s1, determining that the second authentication information is returned to the target application through the verification of the first authentication information under the condition that the first digest value is the same as the first token ID;
s2, determining that the session between the target application and the target device is abnormal when the first digest value is not the same as the first token id.
Optionally, in this embodiment, when an exception occurs, the processing of the session data is ended.
In an optional embodiment, in the case that the first authentication information is verified, after returning the second authentication information to the target application, the method further includes:
and S1, verifying the second authentication information, wherein the second authentication information further comprises an account number and a password of the target application.
Optionally, in this embodiment, the verification of the second authentication information can prevent the RPC request from being forged.
In an optional embodiment, the verifying the second authentication information includes:
s1, acquiring a second sessionID and a second token id from the second authentication information;
s2, generating a second abstract value by using the second sessionID and the attribute information on the target device;
s3, comparing the second digest value with the second token id to verify the second authentication information.
Optionally, in this embodiment, the second digest value is generated in the same manner as the first digest value.
In an optional embodiment, the method further comprises one of:
s1, under the condition that the second digest value is the same as the second token ID, determining that the second authentication information passes the verification of the second authentication information, and returning the second authentication information to the target application;
s2, determining that the session between the target application and the target device is abnormal when the second digest value is different from the second token id.
In conclusion, the device prevents CSRF attack, forgery or falsification of the service request through combined use and verification of Session and Token; the device prevents fixed Session attack by regenerating a pair of Session and Token authentication information after authentication login.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
In this embodiment, a session checking apparatus is further provided, and the apparatus is used to implement the foregoing embodiments and preferred embodiments, and the description already made is omitted. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 5 is a block diagram of a structure of a session check apparatus according to an embodiment of the present invention, and as shown in fig. 5, the apparatus includes:
a first checking module 52, configured to check first authentication information carried by the target application during the nth login, where the first authentication information includes first session control identification information sessionID and first token identification information tokenID, and N is a natural number greater than 1;
a first returning module 54, configured to return second authentication information to the target application when the first authentication information passes verification, where the second authentication information includes second session control identification information sessionID and second token identification information tokenID, and the second authentication information is used to verify that the target application is logged in for the (N + 1) th time;
the first authentication information and the second authentication information are both used for detecting whether a session between the target application and a target device is abnormal.
Optionally, the apparatus further comprises:
and the second returning module is used for returning the first authentication information to the target application under the condition that the target application is determined not to carry an account and a password during the N-1 login before the first authentication information carried by the target application during the Nth login is verified.
Optionally, the first checking module includes:
a first acquisition unit configured to acquire the first sessionID and the first token id from the first authentication information;
a first generating unit, configured to generate a first digest value using the first sessionID and the attribute information on the target device;
and the first comparison module is used for comparing the first abstract value with the first token ID so as to verify first authentication information carried by the target application during the Nth login.
Optionally, the apparatus further comprises one of:
a first determining module, configured to determine that the second authentication information is returned to the target application by checking the first authentication information when the first digest value is the same as the first token id;
a second determining module, configured to determine that a session between the target application and the target device is abnormal when the first digest value is different from the first token id.
Optionally, the apparatus further comprises:
and the second verification module is used for verifying the second authentication information after returning the second authentication information to the target application under the condition that the first authentication information passes verification, wherein the second authentication information also comprises an account and a password of the target application.
Optionally, the second check module includes:
a first obtaining unit configured to obtain the second sessionID and the second token id from the second authentication information;
a second generating unit, configured to generate a second digest value using the second sessionID and the attribute information on the target device;
a second comparing unit, configured to compare the second digest value with the second token id, so as to verify the second authentication information.
Optionally, the apparatus further comprises one of:
a second returning module, configured to determine that the second authentication information passes verification of the second authentication information and return the second authentication information to the target application when the second digest value is the same as the second token id;
a third determining module, configured to determine that a session between the target application and the target device is abnormal when the second digest value is different from the second token id.
It should be noted that, the above modules may be implemented by software or hardware, and for the latter, the following may be implemented, but not limited to: the modules are all positioned in the same processor; alternatively, the modules are located in different processors in any combination.
An embodiment of the present invention further provides a storage medium having a computer program stored therein, wherein the computer program is configured to perform the steps in any of the method embodiments described above when executed.
Alternatively, in the present embodiment, the storage medium may be configured to store a computer program for executing the steps of:
s1, verifying first authentication information carried by the target application during the Nth login, wherein the first authentication information comprises first session control identification information sessionID and first token identification information tokenID, and N is a natural number greater than 1;
and S2, returning second authentication information to the target application under the condition that the first authentication information passes the verification, wherein the second authentication information comprises second session control identification information sessionID and second token identification information tokenID, and the second authentication information is used for verifying the N +1 th login of the target application.
Optionally, in this embodiment, the storage medium may include, but is not limited to: various media capable of storing computer programs, such as a usb disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk.
Embodiments of the present invention also provide an electronic device comprising a memory having a computer program stored therein and a processor arranged to run the computer program to perform the steps of any of the above method embodiments.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, verifying first authentication information carried by the target application during the Nth login, wherein the first authentication information comprises first session control identification information sessionID and first token identification information tokenID, and N is a natural number greater than 1;
and S2, returning second authentication information to the target application under the condition that the first authentication information passes the verification, wherein the second authentication information comprises second session control identification information sessionID and second token identification information tokenID, and the second authentication information is used for verifying the N +1 th login of the target application.
Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments and optional implementation manners, and this embodiment is not described herein again.
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and alternatively, they may be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, and in some cases, the steps shown or described may be performed in an order different than that described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple ones of them may be fabricated into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. A session check method, comprising:
checking first authentication information carried by a target application during the Nth login, wherein the first authentication information comprises first session control identification information sessionID and first token identification information tokenID, and N is a natural number greater than 1;
returning second authentication information to the target application under the condition that the first authentication information passes verification, wherein the second authentication information comprises second session control identification information sessionID and second token identification information tokenID, and the second authentication information is used for verifying the login of the target application for the (N + 1) th time;
the first authentication information and the second authentication information are both used for detecting whether a session between the target application and the target device is abnormal or not.
2. The method of claim 1, wherein before checking the first authentication information carried by the target application at the nth login, the method further comprises:
and under the condition that the target application is determined not to carry an account number and a password during the N-1 th login, returning the first authentication information to the target application.
3. The method of claim 1, wherein verifying the first authentication information carried by the target application at the nth login comprises:
acquiring the first sessionID and the first token ID from the first authentication information;
generating a first digest value using the first sessionID and attribute information on the target device;
and comparing the first abstract value with the first token ID to verify first authentication information carried by the target application during the Nth login.
4. The method of claim 3, further comprising one of:
determining to return the second authentication information to the target application through checking the first authentication information under the condition that the first digest value is the same as the first token ID;
and determining that the session between the target application and the target device is abnormal under the condition that the first digest value is not identical to the first token ID.
5. The method of claim 1, wherein after returning second authentication information to the target application if the first authentication information is verified, the method further comprises:
and verifying the second authentication information, wherein the second authentication information further comprises an account and a password of the target application.
6. The method of claim 1, wherein verifying the second authentication information comprises:
acquiring the second sessionID and the second token ID from the second authentication information;
generating a second digest value using the second sessionID and attribute information on the target device;
and comparing the second digest value with the second token ID to verify the second authentication information.
7. The method of claim 6, further comprising one of:
determining to return the second authentication information to the target application through checking the second authentication information under the condition that the second digest value is the same as the second token ID;
and determining that the session between the target application and the target device is abnormal under the condition that the second digest value is different from the second token ID.
8. A session check device, comprising:
the first verification module is used for verifying first authentication information carried by the target application during the Nth login, wherein the first authentication information comprises first session control identification information sessionID and first token identification information tokenID, and N is a natural number greater than 1;
the first returning module is used for returning second authentication information to the target application under the condition that the first authentication information is verified to pass, wherein the second authentication information comprises second session control identification information sessionID and second token identification information tokenID, and the second authentication information is used for verifying the N +1 th login of the target application;
the first authentication information and the second authentication information are both used for detecting whether a session between the target application and the target device is abnormal or not.
9. A storage medium, in which a computer program is stored, wherein the computer program is arranged to perform the method of any of claims 1 to 7 when executed.
10. An electronic device comprising a memory and a processor, wherein the memory has stored therein a computer program, and wherein the processor is arranged to execute the computer program to perform the method of any of claims 1 to 7.
CN202010149312.4A 2020-03-03 2020-03-03 Session checking method and device, storage medium and electronic device Active CN111343191B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010149312.4A CN111343191B (en) 2020-03-03 2020-03-03 Session checking method and device, storage medium and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010149312.4A CN111343191B (en) 2020-03-03 2020-03-03 Session checking method and device, storage medium and electronic device

Publications (2)

Publication Number Publication Date
CN111343191A CN111343191A (en) 2020-06-26
CN111343191B true CN111343191B (en) 2022-08-16

Family

ID=71184265

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010149312.4A Active CN111343191B (en) 2020-03-03 2020-03-03 Session checking method and device, storage medium and electronic device

Country Status (1)

Country Link
CN (1) CN111343191B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106453352A (en) * 2016-10-25 2017-02-22 电子科技大学 Single-system multi-platform authentication method
CN107634967A (en) * 2017-10-19 2018-01-26 南京大学 A kind of the CSRFToken systems of defense and method of CSRF attacks
CN109379338A (en) * 2018-09-19 2019-02-22 杭州安恒信息技术股份有限公司 A kind of recognition methods of Web application system SessionID attack
CN110177120A (en) * 2019-06-14 2019-08-27 北京首都在线科技股份有限公司 A kind of method, apparatus and computer readable storage medium of single-sign-on
CN110232265A (en) * 2019-06-21 2019-09-13 杭州安恒信息技术股份有限公司 Dual-identity authentication method, apparatus and system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102480490B (en) * 2010-11-30 2014-09-24 国际商业机器公司 Method for preventing CSRF attack and equipment thereof
CN103067385B (en) * 2012-12-27 2015-09-09 深圳市深信服电子科技有限公司 The method of defence Hijack Attack and fire compartment wall
US10454672B2 (en) * 2017-05-25 2019-10-22 Facebook, Inc. Systems and methods for preventing session fixation over a domain portal

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106453352A (en) * 2016-10-25 2017-02-22 电子科技大学 Single-system multi-platform authentication method
CN107634967A (en) * 2017-10-19 2018-01-26 南京大学 A kind of the CSRFToken systems of defense and method of CSRF attacks
CN109379338A (en) * 2018-09-19 2019-02-22 杭州安恒信息技术股份有限公司 A kind of recognition methods of Web application system SessionID attack
CN110177120A (en) * 2019-06-14 2019-08-27 北京首都在线科技股份有限公司 A kind of method, apparatus and computer readable storage medium of single-sign-on
CN110232265A (en) * 2019-06-21 2019-09-13 杭州安恒信息技术股份有限公司 Dual-identity authentication method, apparatus and system

Also Published As

Publication number Publication date
CN111343191A (en) 2020-06-26

Similar Documents

Publication Publication Date Title
EP3574625B1 (en) Method for carrying out an authentication
CN107484152B (en) Management method and device for terminal application
US20170085567A1 (en) System and method for processing task resources
CN110266642A (en) Identity identifying method and server, electronic equipment
CN111355713B (en) Proxy access method, device, proxy gateway and readable storage medium
CN106878250B (en) Cross-application single-state login method and device
CN108900561A (en) The method, apparatus and system of single-sign-on
CN108737110B (en) Data encryption transmission method and device for preventing replay attack
CN106209727B (en) Session access method and device
CN106161348A (en) A kind of method of single-sign-on, system and terminal
CN111818088A (en) Authorization mode management method and device, computer equipment and readable storage medium
EP2446390A1 (en) System and method for reliably authenticating an appliance
DE102008062984A1 (en) A process of authenticating a user with a certificate using out-of-band messaging
CN104821951B (en) A kind of method and apparatus of secure communication
CN112448956A (en) Authority processing method and device of short message verification code and computer equipment
CN111737681A (en) Resource acquisition method and device, storage medium and electronic device
CN102045310B (en) Industrial Internet intrusion detection as well as defense method and device
CN108462671A (en) A kind of authentication protection method and system based on reverse proxy
CN111343191B (en) Session checking method and device, storage medium and electronic device
CN111371811A (en) Resource calling method, resource calling device, client and service server
CN110830465B (en) Security protection method for accessing UKey, server and client
CN114024682A (en) Cross-domain single sign-on method, service equipment and authentication equipment
KR101331575B1 (en) Method and system blocking for detour hacking of telephone certification
CN112565293A (en) Information security management method and device, computer equipment and readable storage medium
CN111404901A (en) Information verification method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant