Cookie篡改检测到:会话Cookie的HMAC签名验证失败
Cookie tampering detected: HMAC signature validation failed for session cookie
ID: security/cookie-tampering-hmac-signature
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| Express.js 4.18 | active | — | — | — |
| Flask 2.3 | active | — | — | — |
| Django 4.2 | active | — | — | — |
| ASP.NET Core 7.0 | active | — | — | — |
根因分析
会话Cookie的HMAC签名与根据Cookie数据计算出的预期签名不匹配,表明Cookie已被客户端或攻击者修改。
English
The session cookie's HMAC signature does not match the expected signature computed from the cookie data, indicating the cookie was modified by the client or an attacker.
官方文档
https://expressjs.com/en/resources/middleware/session.html解决方案
-
Rotate the secret key and force all users to re-authenticate by clearing session stores. For Express.js: `app.use(session({ secret: 'new-secret', resave: false, saveUninitialized: true }))` -
Implement cookie integrity monitoring: log and alert on signature failures, then invalidate the session immediately. Example: In Flask, catch `BadSignature` from `itsdangerous` and redirect to login.
无效尝试
常见但无效的做法:
-
40% 失败
Regenerating the secret key but not invalidating existing sessions causes all current sessions to fail, leading to mass logout, but doesn't fix the root cause of tampering.
-
50% 失败
Disabling signature validation entirely in development to bypass the error leaves the application vulnerable in production.
-
10% 失败
Some attempt to use a weaker hash algorithm like MD5 to 'fix' performance, but this reduces security and may still fail if the signature format changes.