Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
徳丸本輪読会
Search
mcz9mm
August 06, 2017
0
67
徳丸本輪読会
第三回
mcz9mm
August 06, 2017
Tweet
Share
More Decks by mcz9mm
See All by mcz9mm
SwiftUI-List-Pagination
mcz9mm
2
1.9k
ARKit2.0でAppleが伝えたいアプリ体験を考える
mcz9mm
2
880
ゆるく学ぶARKit
mcz9mm
3
1.3k
What’s TCP/UDP?
mcz9mm
0
79
NATサーバーの必要性
mcz9mm
0
79
What’s New in ARKit2.0
mcz9mm
0
71
徳丸本 ログインフォーム
mcz9mm
0
87
arkit+animoji
mcz9mm
0
63
徳丸本8
mcz9mm
0
110
Featured
See All Featured
Code Review Best Practice
trishagee
54
15k
Automating Front-end Workflow
addyosmani
1355
200k
Why Our Code Smells
bkeepers
PRO
331
56k
Navigating Team Friction
lara
177
13k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
15
1.4k
Debugging Ruby Performance
tmm1
70
11k
What’s in a name? Adding method to the madness
productmarketing
PRO
15
2.6k
Fashionably flexible responsive web design (full day workshop)
malarkey
397
65k
Designing for humans not robots
tammielis
247
25k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
186
16k
Building Better People: How to give real-time feedback that sticks.
wjessup
354
18k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
Transcript
ಙؙձୈ̏ճ ຢདྷ ܆
Cookieग़ྗʹ·ͭΘΔ੬ऑੑ • େ͖͚͘Δͱ̎छྨͷ੬ऑੑ • CookieΛར༻͖͢Ͱͳ͍తͰ͍ͬͯΔ • Cookieͷग़ྗํ๏ʹ͕͋Δ IDΛอଘͩͧ σʔλͦͷͷΛอଘ͢Δͳ
ग़ྗ࣌ʹൃੜ͍͢͠੬ऑੑ • HTTPϔομɾΠϯδΣΫγϣϯ੬ऑੑ • CookieͷηΩϡΞଐੑෆඋ
ෆదͳར༻ • WEBϖʔδͰϖʔδΛ·͕ͨΔใΛอଘ͢Δํ๏ͱͯ͠ ɺηογϣϯཧػߏΛ༻͍ΒΕΔɻ͜ͷػߏͰηογϣ ϯIDͷΈΛCookieʹอଘ͠ɺσʔλࣗମwebαʔόͷϝϞ ϦϑΝΠϧɺDBͳͲʹอଘ͢Δɻ • ηογϣϯม֎෦͔Βॻ͖͑ΒΕͳ͍͕ɺCookieར ༻ऀ͔Βมߋ͕Ͱ͖ͯ͠·͏
CookieʹσʔλΛอଘ͠ͳ͍ํ͕ྑ͍ʂ • CookieͰ࣮ݱͰ͖ͯηογϣϯมͰ࣮ݱͰ͖ͳ͍͜ͱɺ ʮใͷण໋ͷ੍ޚʯͱʮҟͳΔαʔόʔͷใڞ༗ʯ • ͜ͷ̎Ҏ֎ηογϣϯมΛར༻͠Α͏ • CookieΛར༻͖͢λΠϛϯάɿ ɹɹɹɹɾϩάΠϯใΛอ࣋͢Δ ɹɹɹɹ
CookieͷηΩϡΞଐੑෆඋ Secureଐੑͱʁ http ͱ https ͱ֤௨৴Ͱ૬ޓͷߦ͖དྷ͕͋Δ߹ͳͲʹ https ͷ௨৴ͰͷΈ͏͖Cookieͷ͕ http ͷ௨৴ʹྲྀग़͢Δ͓ͦΕ͕͋Δɻ
ͦΕΛ͙ҝʹ Cookie ʹ secure ଐੑΛ͚ͯ https ௨৴ͰͷΈѻ͑ΔΑ͏ʹ͢Δͱ͍͏ରࡦ͕͋Δ
߈ܸख๏ ࣍ͷखॱͰฏจͷΫοΩʔ͕ωοτϫʔΫ্ʹྲྀΕΔɻ ·ͣɺHTTPSͰ͔ͭSecureଐੑͷ͔ͭͳ͍ΫοΩʔΛൃߦ͢ΔϖʔδΛӾཡ͠ɺϒϥβʔʹΫοΩʔ Ληοτ͢Δɻྫͱͯ͠URL https://www.example.jp/set_non_secure_cookie.php ͱ͢Δɻ ࣍ʹ᠘ϖʔδΛӾཡ͢Δɻ᠘ϖʔδʹԼهͷΑ͏ͳݟ͑ͳ͍imgλάʢ෯ͱߴ͕͞0ʣؚ͕·Ε͍ͯ Δɻ <img src="http://www.example.jp:443/trap/
width="0" height="0" /> URLͰࢦఆ͞Εͨϙʔτ൪߸443HTTPSͷσϑΥϧτϙʔτ͕ͩɺεΩʔϜ͕ʮhttp:ʯͱࢦఆ͞Ε͍ͯ ΔͷͰ͜ͷϦΫΤετ҉߸Խ͞Εͣʹૹ৴͞ΕΔɻϒϥβʹΫοΩʔΛૹ৴ͤ͞Δͷ͕తͳͷͰɺ URLͷը૾ͳͯ͘߈ཱܸ͢Δɻ ߈ܸऀ͕͜ͷ҉߸Խ͞Ε͍ͯͳ͍ΫοΩʔΛ౪ௌͰ͖Δ߹ɺηογϣϯϋΠδϟοΫʹѱ༻Ͱ͖Δɻ
ݪҼ ͷݪҼ୯ʹSecureଐੑΛ͚͍ͯͳ͍ͱ͍͏͚ͩͷ͜ ͱ͕ͩɺSecureଐੑΛ͚ͳ͍ओͳݪҼҎԼͷ2छྨ͕͋Δ ͱࢥΘΕΔɻ • ։ൃऀ͕Secureଐੑʹ͍ͭͯΒͳ͍ɻ • SecureଐੑΛ͚ΔͱΞϓϦέʔγϣϯ͕ಈ͔ͳ͘ͳΔɻ
ରࡦ ηογϣϯIDͷΫοΩʔʹSecureଐੑΛ͚Δ ΫοΩʔͷSecureଐੑෆඋͷରࡦΫοΩʔʹSecureଐੑΛ͚Δ͜ͱͰ ͋Δɻ PHPͰphp.iniʹҎԼͷઃఆΛ͢Δɻ session.cookie_secure = On Aapache Tomcatͷ߹ɺHTTPSଓ͞ΕͨϦΫΤετʹରͯ͠ɺηογϣ
ϯIDͷΫοΩʔʹࣗಈతʹSecureଐੑ͕ઃఆ͞ΕΔɻ
τʔΫϯΛར༻ͨ͠ରࡦ ηογϣϯIDΛอ࣋͢ΔΫοΩʔʹSecureଐੑ͕͚ΒΕͳ ͍߹ɺτʔΫϯΛར༻ͯ͠ηογϣϯϋΠδϟοΫΛࢭ͢ Δɻ τʔΫϯΛอ࣋͢ΔΫοΩʔʹSecureଐੑΛ͚Δ͜ͱʹ ΑͬͯɺHTTPϖʔδͱHTTPSϖʔδͰηογϣϯΛڞ༗ͭ͠ ͭɺԾʹηογϣϯIDΛ౪ௌ͞Εͨ߹ͰHTTPSϖʔδ ηογϣϯϋΠδϟοΫΛࢭͰ͖Δɻ
τʔΫϯ͕ͳͥྑ͍ͷ͔ʁ • τʔΫϯೝূޭ࣌ʹҰ͚ͩαʔόʔ͔Βग़ྗ͞ΕΔ • τʔΫϯHTTPSͷϖʔδͰੜ͞ΕΔ • τʔΫϯ࣮֬ʹ҉߸Խ͞Εͯϒϥβ͔Βૹ৴͞ΕΔ • HTTPSͷϖʔδΛӾཡ͢ΔʹτʔΫϯ͕ඞਢ͔ͩΒ αʔόʔͱϒϥβͷํͰ࣮֬ʹ҉߸Խ͞Εɺୈࡾऀ͕֬
࣮ʹΓಘͳ͍τʔΫϯ͕ඞཁʹͳΔ͔Βɺ҆શੑ͕֬อ͞ Ε͍ͯΔ
·ͱΊ • ݪଇͱͯ͠ηογϣϯIDͷΈʹ༻͍Δ͜ͱ • HTTPS௨৴Λ༻͍ΔΞϓϦέʔγϣϯͷCookieʹηΩϡ ΞଐੑΛ͚ͭΔ
END