简体繁体 English

在ASP.Net Identity中声明Cookie安全性

[英]Claims Cookie Security in ASP.Net Identity

原文 2014-03-09 15:57:24 1 2 c#/ asp.net/ asp.net-mvc/ claims-based-identity/ owin

The way I understood it from reading all over the net, is that Claims get stored as cookie, now I add User's Roles to the Claims collection and thus it will be saved into the Claims Cookie. 我通过网络阅读理解它的方式是声明存储为cookie，现在我将用户的角色添加到声明集合中，因此它将保存到声明Cookie中。 Now this is great as it would save me the round tripping to Database to retrieve user role each time I have Authorization Attribute to check against in my ASP MVC Controller. 现在这很好，因为每次我在我的ASP MVC控制器中检查授权属性时，它会省去数据库的轮次跳转以检索用户角色。

Is this secure? 这样安全吗？
Can the cookie be decrypted if stolen? 如果被盗，可以解密cookie吗？
Is there an alternative not save Claims in Cookie and save it on server and is this efficient, or am I worried to much? 有没有替代方法不在Cookie中保存声明并将其保存在服务器上，这是有效的，还是我担心多少？

2 个解决方案

Cookies are pretty much the standard way to maintain authentication session for a web site. Cookie几乎是维护网站身份验证会话的标准方法。 Unless you use cookiless mechanism, which transmits session as a query string and was shown to be less secure. 除非您使用cookiless机制，它将会话作为查询字符串传输并且显示不太安全。 Whether you store claims in the cookie or not, you are still relying on the cookie security mechanism to maintain the client identity between the page hits. 无论您是否将声明存储在cookie中，您仍然依赖cookie安全机制来维护页面命中之间的客户端身份。 The mechanism has been around for years and is considered secure as long as you follow the implementation guidelines from Microsoft. 该机制已存在多年，只要您遵循Microsoft的实施指南，它就被认为是安全的。

Assuming you are using .NET 4.5 or .NET 4.0 with WIF libraries, you can cache claims on the server and not send it in the cookie. 假设您使用带有WIF库的.NET 4.5或.NET 4.0，您可以在服务器上缓存声明，而不是在cookie中发送声明。 Here is some basic documentation . 这是一些基本文档。 Usually it is recommended if you have a lot of claims and the cookie gets too large to carry on every page hit. 通常建议如果你有很多声明并且cookie太大而无法进行每次点击。