使用会话来存储“安全性".相关资料 [英] Using session to store "security" related info

问题描述

大家好，

与我问的另一个问题有关:如何定义全局"变量 [ ^ ]

在会话变量中存储与安全相关的信息的安全性/不安全性是什么?

我不是在谈论用户名/密码或类似名称，而是在谈论例如用户所属的角色"，或者是否具有特定权限.

我想使用会话变量方法在登录时设置用户的安全配置"，并减少每次访问数据库以检查权限的权限，但是很明显，如果造成威胁，我就不会这样做. >
不同的控件(例如，检查用户是否被矫正)将分开处理.

用户可以随意更改会话变量值吗?

另外，用户窃取"另一个会话cookie并获得对保留"数据的访问的可能性如何?

预先感谢您，

阿尔贝托

[更新]

为了更好地说明应用程序的情况:

用户属于不同的公司"，每个公司都是一个孤立的"环境(公司A的用户看不到公司B的用户和运营)

就是说，特定公司的用户可以属于一个或多个公司组"，并具有其他特定权限，这些权限是在每个公司的基础上定义的，我发现很难使用asp.net角色成员身份来实现此目的(公司a的管理员不得看到其他公司的组).

当前，用户使用标准的asp.net成员资格提供程序对应用程序进行身份验证，并检查是否具有必需的基本asp.net角色.

之后，每次用户向数据库请求数据时，我都必须:

-检查用户所属的公司
-检查用户属于哪个公司角色
-...依此类推，以获取其他特定的用户权限
-最后仅提取允许用户查看的数据.

这个想法是在登录时在会话变量上设置所有其他安全信息.在每次请求时，asp.net身份验证将自动检查用户是否已通过身份验证，我将验证是否设置了带有其他安全信息的会话变量.

因此，如果UserA能够窃取asp.net authcookie和UserB的会话状态，那么他就可以像访问UserB一样访问数据，而如果他只能窃取一个，则理论上我将具有更高的安全性(对于例如，如果UserA从UserB窃取了会话，但是没有使用authcookie进行同步，则可以阻止该用户.)

我必须考虑的另一个问题是:UserA是否可以通过一种方式手动更改会话状态变量，以便他可以在当前会话中手动添加角色和权限)?

可能的问题在完整的https应用程序上仍然有效吗?

感谢tou agin，

Alberto

Hi everyone,

relating to another question I asked:How define "Global" variables[^]

How secure/unsecure is to store security related information in session variables?

I''m not talking about username/password or similar, but, for example, about the "roles" a user belongs, or if he has specific permissions.

I would like to use the session variable approach to set the "security configuration" of the user at logon and reduce access to database for checking permission every time, but obvusly I won''t do it if it causes a threat.

Different controls (check if user is autenticated for example) will be handled separatedly.

Is it possible for a user to arbitrarily alter the session variable values?

Additionally, how possible it is for a user to "steal" another session cookie and get access to "reserved" data?

Thank you in advance,

Alberto

[UPDATE]

To better explain the situation of the application:

Users belong to different "companies", and each company is an " isolated" environment (users of company A cannot see users and operations of company B)

That said, the users of a specific company can belong to one or more "Company Groups", and have other specific permissions, which are defined on a per-Company basis, and I find hard to use asp.net role membership to achieve this (administrators of company a must not see other companies'' groups).

Currently, users authenticates to application using standard asp.net mebership provider, and checked to have required base asp.net roles.

After that, each time the user requests data to the database, I''d have to:

- check to which company the user belong
- check to which company roles the user belong
- ...so on for other specific user permissions
- finaly pull out only the data the user is allowed to see.

The idea is that of setting all the additional security information on session variables at log on. At each request, asp.net authentication will automatically check if user is authenticated, and I''ll verify that session variables with additional security info are set.

So, if UserA is capable of stealing both asp.net authcookie and session state of UserB, he obvusly can access data as if was UserB, while if he can steal only one, theorically I''ll have an additional level of security (for example, if UserA steals session from UserB, but there is no maching with authcookie, I can block the user).

The other probelm I must consider is: is there a way by which UserA can alter the session state variables manually, so that he could manually add roles and permission to his current session)?

Is the possible problems still effective on a full https application.

Thank tou agin,

Alberto

推荐答案

我不会这样做.我会每次检查数据库的权限.一个用户窃取另一个用户的会话状态相对容易.

请查看下面的链接以获得更好的定义.
http://en.wikipedia.org/wiki/Session_hijacking http://msdn.microsoft.com/en-us/library/ff649487.aspx#pagguidelines0001_sessionmanagement
http://msdn.microsoft.com/en-us/magazine/cc163730.aspx
http://msdn.microsoft.com/en-us/library/zdh19h94.aspx

I wouldn''t do it. I would check the database ever time for the permissions. It is relatively easy for a user to steal the session state of another user.

Check out the links below for a better definition.
http://en.wikipedia.org/wiki/Session_hijacking https://www.owasp.org/index.php/Session_hijacking_attack

This should give you a better idea of how safe it is. You can put precautions in when checking the session to make it more secure. Like verifing the name for the computer using the session. It still can be hacked pretty easily though.

You should also check out these article for best practices for security with asp.net.
http://msdn.microsoft.com/en-us/library/ff649487.aspx#pagguidelines0001_sessionmanagement
http://msdn.microsoft.com/en-us/magazine/cc163730.aspx
http://msdn.microsoft.com/en-us/library/zdh19h94.aspx

网络上没有什么是真正安全的.如果它对黑客足够有价值，他们将找到一种方法来实现.话虽这么说，会话状态是相当安全的，但是Microsoft已经处理了大部分会话状态，并且在正常情况下会话不应该成为问题.

您可能需要查看以下

Nothing on the web is truly secure. If it is valuable enough to a hacker they will find a way to get to it. That being said session state is reasonably secure, Microsoft has taken care of most of it and session shouldn''t be a problem under normal circumstances.

You may want to look at this ASP.NET 2.0 Membership, Roles, Forms Authentication, and Security Resources[^]

这篇关于使用会话来存储“安全性".相关资料的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！