stackoom
  简体   繁体   中英

Why is the session cookie encrypted in .NET Core?

 原文  2020-03-03 14:19:41       c#/ session/ encryption/ cookies

Question

SessionMiddleware in .Net Core 3.1 uses IDataProtector to encrypt a randomly generated session-key.

The session-key is a reference to a collection of items stored in a cache, which are available through ISession.

The source code is here:

The relevant bit is between rows 91 and 96.

There is plenty of documentation for setting up IDataProtection, but why is the session-key encrypted in the first place? The cookie is designed to be transported securely between client and server. The actual session-data stored in the cache is not encrypted. Encrypting a randomly generated key seems superfluous and requires developers to set up IDataProtection for seemingly little value (if you didn't need it for something else already).

1 answers

solution1
 1  2020-03-04 09:18:20

Found the issue where IDataProtection was added.

https://github.com/aspnet/Session/issues/105

The encrypted key is much longer than the originally used guid, making it more secure I guess.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Decrypt “.AspNetCore.Session” cookie in ASP.NET Core Use cookie, authorize attribute, create session for application in .net core 2.1 How to read Brave Browser cookie database encrypted values in C# (.NET Core)? .Net Core cookie will not be set How to get session in asp .net core 2.1 when i have .AspNetCore.Session cookie? Why ASP.NET Core Identity Cookie is not working across domains? Is SecureString encrypted in .NET 5 and .NET Core running on Windows? Validate ASP.NET Core Identity session cookie from external application session as reference .net core .NET Core 2.2 > Always Encrypted Not Supported
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM