I am creating a website in tomcat 7 using servlets. I plan on using cookies to keep track of user sessions. I have set the cookies to expire within 10 minutes.
My question is, If a hacker was able to steal the cookie from a user before it expired. Can the hacker change the expiration date on the cookie and use the cookie at a later time to steal the users session. I just wanted to see if this was possible as I'm trying to secure my site.
答案 0 :(得分:0)
If after 10 minutes this cookie is removed from your server storage (and your authentication logic is base on comparing cookie's value from your storage and from browser) then it's not possible to steal session.