简体繁体 English

在Silverlight 3中使用隔离存储是否引起安全问题

[英]Is the usage of Isolated Storage in Silverlight 3 a security concern

原文 2010-03-24 13:07:18 1 2 silverlight/ silverlight-3.0/ session-state/ isolatedstorage

I am using Silverlight 3 on my website. 我在我的网站上使用Silverlight 3 。 I have a Login Page for role based authentication, that routes users with different privileges to different parts of the website. 我有一个用于基于角色的身份验证的登录页面，该页面将具有不同特权的用户路由到网站的不同部分。 I want to use something analogous to the Session Variables available in standard ASP.Net applications. 我想使用类似于标准ASP.Net应用程序中可用的会话变量的内容。

I intend to use Isolated Storage to achieve this. 我打算使用隔离存储来实现此目的。 But I am skeptical about security in this option, as the Isolated Storage exists on the client side, and can be manipulated on client side. 但是我对此选项的安全性表示怀疑，因为隔离存储位于客户端，并且可以在客户端进行操作。 I am new to the Isolated Storage concept and don't know about the security options provided by it in terms of Encryption and server-side validation etc. If any of you have used it or are aware of the security provided in this case, could you please shed some light on the same. 我是隔离存储概念的新手，不了解它在加密和服务器端验证等方面提供的安全性选项。如果您中的任何人使用过它或知道这种情况下提供的安全性，可以您请对此有所了解。

Thanks 谢谢

2 个解决方案

Here's an idea, why not just use a static instance of a dictionary (to go with a simple example). 这是一个主意，为什么不只使用字典的静态实例（附带一个简单的示例）。 As you mentioned, silverlight runs on the client side, which means that you don't have to be concerned with other user's state. 如前所述，silverlight在客户端运行，这意味着您不必关心其他用户的状态。 The dictionary will be persisted as long as the user is using the silverlight app, And every time you go to the page again, the AppDomain will be recreated which is analogous to the user having an empty session state bag re-initialized 只要用户正在使用silverlight应用程序，该词典就会保留下来，并且每次您再次访问该页面时，都会重新创建AppDomain，这类似于用户重新初始化了一个空的会话状态包

Have a look at the Silverlight Database project which implements an Isolated Storage database. 看一下实现隔离存储数据库的Silverlight数据库项目。 The functionality includes compression and encryption. 该功能包括压缩和加密。