堆栈内存溢出
  简体   繁体   English

使用会话变量有多安全? ASP.NET C#

[英]how safe is it to use session variables? ASP.NET C#

 原文  2016-08-02 14:57:24       c#/ asp.net/ session

问题描述

I have this code in my Login page: 我的登录页面中有以下代码: 

        Session["user"] = user.Text;
        cmd.Parameters.AddWithValue("@user", Session["user"]);
        reader = cmd.ExecuteReader();

I saw this link how safe is it to use session variables - asp.net / c# 我看到此链接使用会话变量有多安全-ASP.NET / C#

and I want to know if I need to change this type of login. 我想知道是否需要更改这种登录类型。

my question is if its safe to use session and if its possible to steal a session from another user and enter to the website as that user or something like that. 我的问题是,会话是否可以安全使用,是否有可能从其他用户那里窃取会话并以该用户身份或类似身份进入网站。

I tried to use membership but I couldn't change the register so I moved to Session. 我尝试使用成员身份,但无法更改注册,所以我转到了Session。

2 个解决方案

解决方案1
 1  2016-08-02 15:20:01

Using session state to keep track of current login user is OK as long as you are on HTTPS . 只要使用HTTPS,就可以使用会话状态跟踪当前登录用户。 Session variables are stored in Server Memory (by default) . 会话变量存储在服务器内存中(默认情况下)

We all used the similar approach in Classics ASP and ASP.Net 1.0 (before Membership in ASP.Net 2.0) . 我们都在Classics ASP和ASP.Net 1.0中使用了类似的方法(在ASP.Net 2.0中加入成员资格之前)

The main drawback is the maintenance . 主要缺点是维护 It is hard to maintain when the application has too many pages and too many users with different authorizations. 当应用程序具有太多页面和太多具有不同授权的用户时,很难维护。

解决方案2
 0  2016-08-02 15:39:12

As it has already been said, you should not have to worry about session security as long as you use https protocol and that your application server is safe. 正如已经说过的,只要您使用https协议并且您的应用程序服务器是安全的,就不必担心会话安全性。

But you should consider using Identity framework instead of the old Membership framework. 但是您应该考虑使用Identity框架而不是旧的Membership框架。 Since 2013 Identity is the new authentication .NET standard, allowing SSO, role provider, claims based authentication etc... 自2013年以来,身份是新的身份验证.NET标准,允许SSO,角色提供者,基于声明的身份验证等...

See http://www.asp.net/identity/overview/getting-started/introduction-to-aspnet-identity to understand why you should choose identity over membership) 请参阅http://www.asp.net/identity/overview/getting-started/introduction-to-aspnet-identity以了解为什么应该选择身份而不是成员身份)

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用会话变量有多安全 - asp.net/c# - how safe is it to use session variables - asp.net / c# 如何使用Session变量asp.net c# - How to use Session variables asp.net c# 如何使用 C# 在 ASP.NET Core 3.1 MVC 中使用会话变量 - How to use session variables in ASP.NET Core 3.1 MVC using C# 会话变量,Web服务,ASP.NET和C# - Session Variables, Web Services, ASP.NET, and C# c# ASP.NET Session 变量未初始化或更新 - c# ASP.NET Session Variables Not Initialising Or Updating ASP.NET-C#中的会话变量的替代方法 - ASP.NET - Alternatives to Session Variables in C# ASP.NET C# 会话变量丢失 - ASP.NET C# Session Variables Being Lost Asp.NET C# Session 从 class 到 handler 的变量 - Asp.NET C# Session Variables from class to handler 如何终止会话或会话 ID (ASP.NET/C#) - How to Kill A Session or Session ID (ASP.NET/C#) ASP.NET C#使用下拉菜单中的会话数据 - ASP.NET C# use session data from dropdown
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM