堆栈内存溢出
  简体   繁体   English

在ASP.NET SessionID线程安全中使用RNGCryptoServiceProvider吗?

[英]Is the use of RNGCryptoServiceProvider in ASP.NET SessionID threadsafe?

 原文  2012-04-18 20:05:30       c#/ asp.net/ sessionid

问题描述

Below is the implementation in ASP.NET for creating session ids (I've paraphrased). 下面是ASP.NET中用于创建会话ID的实现(我已经解释过了)。

edit (the RNG is shared): 编辑(共享RNG): 

static _randgen = new RNGCryptoServiceProvider(); 

string GetSessionId()
{
    var buffer = new byte [15];

    //fill the buffer with random bytes
    randgen.GetBytes(buffer);

    //turn the bytes into a string of letters and numbers (no unsafe chars)
    string encoding = Encode(buffer);
    return encoding; 
}

The documentation on RNGCryptoServiceProvider.GetBytes says it is thread safe, however it's not clear what kind of thread safety that means. 关于RNGCryptoServiceProvider.GetBytes的文档说它是线程安全的,但是不清楚这意味着什么样的线程安全。 Does it simply guarantee no deadlocks or does it guarantee two threads will get different values? 它是否只是保证没有死锁,还是保证两个线程会得到不同的值? Is it possible for there to be a race condition where 2 requests would pull the same session id? 是否有可能存在竞争条件,其中2个请求会拉出相同的会话ID?

2 个解决方案

解决方案1
 1  2012-04-18 20:09:12

Since a new RNGCryptoServiceProvider object is created inside the GetSessionId function, it is not access by multiple threads. 由于新的RNGCryptoServiceProvider对象是在内部创建GetSessionId功能,它不是由多个线程访问。

Edit: It means it wont crash if two or more threads uses its functions. 编辑:这意味着如果两个或多个线程使用其功能,它不会崩溃。 It does not guarantee any uniqueness (one thread or more) but will generate cryptographically strong random bytes. 它不保证任何唯一性(一个或多个线程),但会生成加密强大的随机字节。

解决方案2
 1  2012-04-18 20:35:48

While GetBytes is thread safe (no deadlocks, no shared results), using it will NOT mean that the result is different each time. 虽然GetBytes是线程安全的(没有死锁,没有共享结果),但使用它并不意味着每次结果都不同。

Each time you call GetBytes, it is a whole new random result. 每次调用GetBytes时,它都是一个全新的随机结果。 Meaning that to be random it could also be a duplicate. 这意味着它是随机的,也可能是重复的。

Granted with 15 bytes, that's a touch on the unlikely side, but it can happen. 获得15个字节,这是不太可能的一面,但它可能会发生。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在 ASP.NET 中重新生成 SessionID - Regenerate SessionID in ASP.NET ASP.NET sessionID不会更新 - ASP.NET sessionID will not update ASP.NET:将RNGCryptoServiceProvider的输出暴露给外部存在安全风险吗? - ASP.NET: Is exposing RNGCryptoServiceProvider's output to the outside a security risk? 在登录时生成新的SessionID(ASP.NET) - Generating a new SessionID on Login (ASP.NET) 在ASP.NET中维护整个应用程序的SessionID - Maintain the SessionID for Entire Application in ASP.NET Asp.net cookieless sessionId url位置 - Asp.net cookieless sessionId url location Asp.net SessionID的字符串格式是什么? - What is the string format of the Asp.net SessionID? asp.net sessionId恢复会话对象 - asp.net sessionId to restore session object 从ASP.NET应用程序中删除ASP.NET_SessionId - Removing ASP.NET_SessionId from an ASP.NET application ASP.NET会话修复(ASP.NET_sessionid) - Asp.net session fixation (ASP.NET_sessionid)
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM