Asp.net 核心登录身份模板使用安全吗?
[英]Asp.net core login Identity template is it safe to use?
问题描述
I am new is asp.net core
我新的是asp.net核心
I am trying to create web application using asp.net core 3.1 as per the instruction on link我正在尝试按照链接上的说明使用 asp.net 核心 3.1 创建 web 应用程序
i created login page which is working, application login is working.我创建了正在运行的登录页面,应用程序登录正在运行。 so after login 1st user in application i copied the cookies of 1st user to other browser and open localhost site and i saw user got loggedin without authentication.因此,在应用程序中登录第一个用户后,我将第一个用户的 cookies 复制到其他浏览器并打开本地主机站点,我看到用户未经身份验证就登录了。
is this right implementation how to create safe login and authorization module in asp.net core webapp这是正确的实现吗如何在 asp.net 核心 webapp 中创建安全登录和授权模块
public void ConfigureServices(IServiceCollection services)
{
services.AddDbContext<ApplicationDbContext>(options =>
options.UseSqlServer(
Configuration.GetConnectionString("DefaultConnection")));
// Add Distributed Redis Cache for Session
services.AddDistributedRedisCache(options =>
{
options.Configuration = "localhost";
options.InstanceName = "Session_";
});
services.AddSession(options =>
{
// 20 minutes later from last access your session will be removed.
options.IdleTimeout = TimeSpan.FromMinutes(20);
options.Cookie.HttpOnly = true;
options.Cookie.IsEssential = true;
});
services.AddDefaultIdentity<IdentityUser>(options => options.SignIn.RequireConfirmedAccount = true)
.AddEntityFrameworkStores<ApplicationDbContext>();
services.AddRazorPages();
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseDatabaseErrorPage();
}
else
{
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
// Adds session middleware to pipeline
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseSession();
app.UseEndpoints(endpoints =>
{
endpoints.MapRazorPages();
});
}
1 个解决方案
解决方案1
0 2020-09-02 12:41:28
Let's summarize a few things here:让我们在这里总结一些事情:
First of all, if your web application is configured correctly it is not possible to steal someone else's cookie.首先,如果您的 web 应用程序配置正确,则不可能窃取别人的 cookie。 Unless you're on the same physical machine (which I assume is what you did with when you copied the cookie) of course.当然,除非你在同一台物理机器上(我假设这是你复制 cookie 时所做的)。
So your site should always be served over HTTPS, that's configured correctly: app.UseHttpsRedirection();因此,您的网站应始终通过 HTTPS 提供服务,该地址配置正确: app.UseHttpsRedirection(); . . And cookies should be HttpOnly (meaning not accessible by javascript): options.Cookie.HttpOnly = true; cookies 应该是 HttpOnly(意思是 javascript 不能访问): options.Cookie.HttpOnly = true; (but that's for the session cookie). (但那是针对 session cookie 的)。 The cookie that is created by the Identity template is marked as HttpOnly and Secure by default so that's also fine. Identity 模板创建的 cookie 默认标记为 HttpOnly 和 Secure,所以这也很好。 So basically the answer to your question is 'Yes, the Identity template is safe to use'所以基本上你的问题的答案是“是的,身份模板可以安全使用”
As a final comment I would recommend to add app.UseHsts();作为最后的评论,我建议添加app.UseHsts(); to add HSTS headers for more security.添加 HSTS 标头以获得更高的安全性。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.