ASP.NET MVC Application中如何处理ASP.NET_SessionId Cookie
[英]How to handle ASP.NET_SessionId Cookie in ASP.NET MVC Application
问题描述
I have Asp.NET MVC application which gets logged in after secure Id and password authentication.
我有 Asp.NET MVC 应用程序,它在安全 ID 和密码身份验证后登录。
After login, when I go to developer tools in Web Browser and Copy the ASP.NET_SessionId Cookie and paste it in another browser without login with Id and password, It gets logged in.登录后,当我 go 到 Web 浏览器中的开发人员工具并复制 ASP.NET_SessionId Cookie 并将其粘贴到另一个浏览器中而无需使用 ID 和密码登录时,它会登录。
Where this cookie is created?这个 cookie 是在哪里创建的? And how I can handle this vulnerability?我该如何处理这个漏洞?
1 个解决方案
解决方案1
0 2023-01-12 12:47:47
You are describing "session hijacking"您正在描述“会话劫持”
You should ensure that ASP.net requires https, and that cookies are not accessible to client side script, by adding this to web.config您应该确保 ASP.net 需要 https,并且客户端脚本无法访问 cookies,方法是将其添加到 web.config
<httpCookies httpOnlyCookies="true" requireSSL="true" />
You might also implement something like the SecureSessionModule in this article which generates some additional measures您还可以实现类似于本文中的 SecureSessionModule 的东西,它会生成一些额外的措施
Note the caveats注意注意事项
https://learn.microsoft.com/en-us/archive/msdn-magazine/2004/august/wicked-code-foiling-session-hijacking-attempts https://learn.microsoft.com/en-us/archive/msdn-magazine/2004/august/wicked-code-foiling-session-hijacking-attempts
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.