ASP.NET会话修复(ASP.NET_sessionid)
[英]Asp.net session fixation (ASP.NET_sessionid)
问题描述
Asp.net_SessionId is generated default by the system. 
系统默认生成Asp.net_SessionId。 Whenever this value copied from one browser to another user automatically access the pages inside login credentials. 每当将此值从一个浏览器复制到另一用户时,都会自动访问登录凭据中的页面。
case: First I logged in with my credentials in one browser (chrome). 案例:首先,我在一个浏览器(chrome)中使用自己的凭据登录。 Now I open same browser in private mode (again chrome). 现在,我以专用模式(同样是chrome)打开相同的浏览器。 Now I'll copy logged in browser session value to private mode and try to access the pages like dashboard, profile, settings etc. So here just by copying the session value I am able to access all the pages that require login. 现在,我将登录的浏览器会话值复制到私有模式,并尝试访问仪表板,配置文件,设置等页面。因此,这里只需复制会话值,便可以访问所有需要登录的页面。
How to prevent this? 如何预防呢? Please give me some suggestions. 请给我一些建议。
I am able to prevent this in cross browser but I am not able to prevent it in same browser. 我可以在跨浏览器中防止这种情况,但在同一浏览器中却无法阻止。
What I have tried: 我尝试过的
I implemented the technique described here, but it's not working in my case. 我实现了此处描述的技术,但在我的情况下不起作用。 Yes its working with two different browser but not with single browser. 是的,它适用于两种不同的浏览器,但不适用于单一浏览器。
http://www.codeproject.com/Articles/859579/Hack-proof-your-asp-net-applications-from-Session http://www.codeproject.com/Articles/859579/Hack-proof-your-asp-net-applications-from-Session
Please help me to solve this. 请帮我解决这个问题。
1 个解决方案
解决方案1
0 2016-06-30 17:26:36
Whenever this value copied from one browser to another user automatically access the pages inside login credentials.
It depends on how you authenticate the user. 这取决于您如何验证用户。 If you just use Session State to keep track of user authentication like classic ASP days, it is true. 如果您仅使用会话状态来跟踪用户身份验证(如经典的ASP天),那是事实。
Nowadays, we use ASP.Net Identity or Form Authentication (Membership Provider) via SSL in which tokens are encrypted, and sign-out everywhere features. 如今,我们通过SSL使用ASP.Net身份或表单身份验证(成员身份提供程序) ,对令牌进行加密,并随处注销所有功能。 So it is not easily to hack Authentication Cookie in SSL (I do not say that impossible). 因此,要破解SSL中的身份验证Cookie并不容易(我并不是说不可能)。
In ASP.Net MVC, we do not need to use Session State like we used to in ASP.Net Web Form and Classic ASP. 在ASP.Net MVC中,我们不需要像在ASP.Net Web Form和Classic ASP中那样使用会话状态。 Besides, using Session State directly becomes a bad practice in ASP.Net MVC. 此外,直接使用会话状态在ASP.Net MVC中成为一种不良做法。
The bottom line is if you use ASP.Net Identity or Form Authentication via SSL, I won't even worry about it. 最重要的是,如果您通过ASP使用ASP.Net Identity或Form Authentication,我什至不必担心。 If you haven't use those, you definitely want to consider using it. 如果您还没有使用过它们,那么您肯定要考虑使用它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.