经典ASP / IIS 6.0会话cookie长度
[英]Classic ASP/IIS 6.0 session cookie length
问题描述
IIS 6.0 uses the following format for session ID cookies 
IIS 6.0对会话ID cookie使用以下格式
Set-Cookie: ASPSESSIONIDACTCRDDR=EMGFKIKAPMLMCAJPOAPNKADG; Set-Cookie:ASPSESSIONIDACTCRDDR = EMGFKIKAPMLMCAJPOAPNKADG;
where the part after ASPSESSIONID is random. 其中ASPSESSIONID之后的部分是随机的。 The random part is not very long and valid session IDs can be guessed. 随机部分不是很长,可以猜测有效的会话ID。
Is there a way to configure IIS 6 to make the cookie longer and thus more secure? 有没有一种方法可以配置IIS 6以使Cookie更长,从而更安全?
Do you know whether the format is the same for IIS 7 or higher? 您是否知道IIS 7或更高版本的格式相同?
1 个解决方案
解决方案1
0 2013-10-01 15:21:09
What exactly are you expecting to read this information? 您确切希望阅读什么信息?
If you're that concerned over the security of information traveling "over the wire", then go SSL (including the login form). 如果您担心“通过网络”传输的信息的安全性,请使用SSL(包括登录表单)。
If you're concerned about something locally reading the information, then you've got bigger problems - either something on his end is compromised, or someone injected some code into your site. 如果您担心在本地读取信息,那么您会遇到更大的问题-要么他的东西受到损害,要么有人在您的网站中注入了一些代码。
If you're concerned about random guessing, that's not a practical attack against this sort of information. 如果您担心随机猜测,那么针对此类信息并不是实际的攻击。 Usually its just easier to listen for the info over the wire or hijack the data by some other means (eg man-in-the-middle). 通常,通过电线监听信息或通过其他方法(例如中间人)劫持数据会更容易。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.