是否有必要在 Web 应用程序中使用表单身份验证?
[英]Is it necessary to use forms authentication in a web app?
问题描述
We are developing an asp.net web app for trading in stock market.
我们正在开发一个用于股票市场交易的 asp.net 网络应用程序。 We need a high secure app.我们需要一个高度安全的应用程序。 Is it safe not to use forms auth.不使用表单身份验证是否安全? Is it enough using ssl, httponly cookies, and preventing xss for a secure app?对安全应用程序使用 ssl、httponly cookie 和防止 xss 就足够了吗?
What i know is;我所知道的是;
In Forms authentication there are session and auth cookie.在 Forms 身份验证中,有 session 和 auth cookie。 What is the difference to hack web app with forms auth.使用表单身份验证破解 Web 应用程序有什么区别。 If a hacker able to steal session cookie.如果黑客能够窃取会话cookie。 Its not so hard to steal auth cookie.窃取 auth cookie 并不难。 How come is it safe to use forms authentication?(Is it just stealing one more cookie?)为什么使用表单身份验证是安全的?(是否只是偷了一个 cookie?)
Thanks.谢谢。
1 个解决方案
解决方案1
0 2020-05-07 02:59:17
In researching this myself -- this question seems about the crux of solution out of the box when using forms authentication in that it's not completely safe, but is if you can prevent stealing of the AUTH cookie.在我自己研究这个问题时- 这个问题似乎是使用表单身份验证时开箱即用的解决方案的关键,因为它不是完全安全的,但是如果你可以防止窃取 AUTH cookie。
While you can potentially add code to make it harder - it's a complex problem without a real unique point of difference per client that is currently easily replicated with the right tools and other attack vectors.虽然您可能会添加代码以使其更难 - 这是一个复杂的问题,每个客户端没有真正独特的差异点,目前可以使用正确的工具和其他攻击媒介轻松复制。 It's also a user issue in how far you are willing to push them to prove who they are in a browser that was never designed for keeping state - which comes down to how much security measures you're willing to invent/invest in.这也是一个用户问题,你愿意在多大程度上推动他们在一个从未设计用于保持状态的浏览器中证明他们是谁 - 这归结为你愿意发明/投资多少安全措施。
In learning the attack vectors, with Troy Hunts tuts , it is quite shocking how easy it can be having tried on few well know sites and how far behind I was regarding.在学习攻击媒介时, Troy Hunts 啧啧,令人震惊的是,在少数知名网站上进行尝试是多么容易,而且我所考虑的落后程度如此之大。
I guess the best advice if using forms authentication is to keep up to date with the current OWASP Top 10 issues and prevent as much as possible, or switch to something else.如果使用表单身份验证,我想最好的建议是跟上当前的OWASP Top 10问题并尽可能地防止,或者切换到其他问题。
fyi: while this post was old it was the first I found when looking for the same thing.仅供参考:虽然这篇文章很旧,但它是我在寻找相同内容时发现的第一个。 I'm not a specialist in the field and others could give better answers to using something else more secure but, hoped this answer will help someone else with a similar question.我不是该领域的专家,其他人可以为使用其他更安全的东西提供更好的答案,但希望这个答案能帮助其他有类似问题的人。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.