堆栈内存溢出
  简体   繁体   English

使用会话状态在asp.net中创建用户登录名和角色的不安全方法

[英]Is using session state an unsafe way to create user logins and role in asp.net

 原文  2013-12-24 06:25:40       c#/ asp.net/ security/ session

问题描述

Consider the setup where a list of ids and passwords are stored in a database on a server and when a user enters his login credentials then the code-behind verifies it against the server and sets values like Session["id"] Session["login"] to determine whether user has access to certain page. 请考虑以下设置:将一组ID和密码存储在服务器上的数据库中,并且当用户输入其登录凭据时,后面的代码将对照服务器对其进行验证,并设置诸如Session [“ id”] Session [“ login “]确定用户是否有权访问特定页面。

When a user attempts to browse to a page, the page looks at session variables and then relocates the user if need be and adjusts the buttons on its page accordingly. 当用户尝试浏览页面时,页面会查看会话变量,然后根据需要重新定位用户,并相应地调整页面上的按钮。

How secure is this setup. 此设置的安全性。

The built in login and role functionality of asp.net seems too rigid so I was trying to explore other options. asp.net的内置登录名和角色功能似乎过于严格,因此我尝试探索其他选项。

2 个解决方案

解决方案1
 2  2013-12-24 16:52:43

The Session State is a safe way to keep track of user log-ins. 会话状态是跟踪用户登录的安全方法。 Assuming the default set-up (in process, cookie-based session), it will be just as secure as Forms Authentication. 假设使用默认设置(正在进行中,基于cookie的会话),它将与表单身份验证一样安全。 The exact level of security you get with it will depend on how you configure your Session State. 您所获得的确切安全级别将取决于您如何配置会话状态。

  1. Cookieless session state -- this opens up some potential security loopholes (eg user shares the url that contains the session ID, user takes a screenshot that contains the URL with the session id, etc.) 无Cookie会话状态 -这就打开了一些潜在的安全漏洞(例如,用户共享包含会话ID的URL,用户截取包含会话ID的URL的屏幕快照,等等)

  2. Out of process session state -- If you are using a remote session state service (or a database for storing the session), your Session's security will depend on you locking down access to the session state service or DB appropriately. 进程外会话状态 -如果您正在使用远程会话状态服务(或用于存储会话的数据库),则会话的安全性将取决于您适当地锁定对会话状态服务或数据库的访问。

That said, the built-in login and role functionality that you get with Forms Auth is not too difficult to extend and build upon, rather than rolling something from scratch. 也就是说,通过Forms Auth获得的内置登录名和角色功能并不是很难扩展和构建,而不是从头开始。 If you need something custom, you can also write your own membership and role providers . 如果您需要自定义内容,还可以编写自己的成员资格和角色提供者 This is helpful if you need to lock down routes based upon user name or role, as you can do it right in the web.config. 如果您需要根据用户名或角色来锁定路由,这将很有用,因为您可以在web.config中进行操作。

解决方案2
 2 已采纳  2013-12-28 14:58:20

The major flaw in using Session is that it could open up your site to a Session Fixation vulnerability. 使用Session的主要缺陷是,它可能使您的站点面临Session Fixation漏洞。 As the session is established when the user arrives on your site, it may be possible for the session ID to be discovered (eg by a MITM ). 由于会话是在用户到达您的站点时建立的,因此可能会发现会话ID(例如,通过MITM )。

Example steps are as follows for this exploit: 针对此漏洞的示例步骤如下:

  1. User arrives on HTTP site, ASP.NET gives them a session and sends the session cookie to user. 用户到达HTTP站点,ASP.NET为他们提供会话并将会话cookie发送给用户。
  2. Attacker reads the session cookie value. 攻击者读取会话cookie值。
  3. User goes to login form (HTTPS), logs in and your id and login values are stored in the session. 用户进入登录表单(HTTPS),登录,并且您的idlogin值存储在会话中。
  4. The attacker sets their session cookie to be the intercepted value from step 2. 攻击者将其会话cookie设置为步骤2中的拦截值。
  5. The attacker now has a valid, logged in session, hijacking the now logged in user. 攻击者现在拥有一个有效的登录会话,从而劫持了现在登录的用户。

For this reason alone, I would recommend using the built in login and role functionality as the auth cookie is not set until the authenticated session is established. 仅出于这个原因,我建议使用内置的登录名和角色功能,因为在建立经过身份验证的会话之前,不会设置auth cookie。 If you insist on the session method, I would recommend you call Session.Abandon() to grant the user a new session upon login, so that their session is not the same as their previous, unauthenticated session. 如果您坚持使用会话方法,建议您在登录时调用Session.Abandon()为用户授予一个新会话,以使他们的会话与之前未经身份验证的会话不同。

Please also see my answer to this question: https://stackoverflow.com/a/18077422/413180 另请参阅我对这个问题的回答: https : //stackoverflow.com/a/18077422/413180

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在ASP.NET中的Web服务中使用会话状态 - using session state in webservice in ASP.NET ASP.net是角色的用户 - ASP.net is user in role 在asp.net身份中创建具有多个角色的用户 - create user with more than one role in asp.net identity 如何在ASP.Net身份中创建角色和用户? - How to create Role and User in ASP.Net identity? 有没有一种方法可以在ASP.NET WebForm中查看会话状态/变量 - Is there a way to view Session state/variables in ASP.NET WebForm 如何使用ASP.NET会话和log4net基于登录的用户创建日志文件 - How to create a log file based on logged in user using ASP.NET session and log4net 使用ASP.NET Identity在DAL中检索用户的角色 - Retrieve Role for a User in the DAL using ASP.NET Identity asp.net session state 无法为用户登录到会话状态 SQL 服务器 - asp.net session state Failed to login to session state SQL server for user 在不使用会话的情况下将对象状态存储在Asp.net应用程序中 - Storing Object State in an Asp.net application without using Session 在 IFrame 的 ASP.NET Core 2.0 应用程序中使用会话状态 - Using session state in ASP.NET Core 2.0 app in IFrame
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM