修复ASP.Net中的会话固定漏洞 [英] Fix Session Fixation flaw in ASP.Net
问题描述
使用.Net Framework 4.7的混合webforms/mvc asp.net应用程序已在Veracode动态扫描中标记为会话固定"漏洞.这意味着Veracode获取登录页面,更改SessionId cookie(ASP.NET_SessionId),然后使用有效的用户ID和密码进行张贴以进行登录. ASP.Net登录用户,但获取此更改后的SessionId cookie并继续使用它;使用注入的SessionId值的行为就是缺陷.
A hybrid webforms/mvc asp.net application using .Net Framework 4.7 has been tagged with the "Session Fixation" vulnerability in a Veracode dynamic scan. What this means is that Veracode gets the login page, alters the SessionId cookie (ASP.NET_SessionId), and then posts with a valid userid and password to do the login. ASP.Net logs in the user, but takes this altered SessionId cookie and continues to use it; that behavior of using that injected SessionId value is the flaw.
换句话说,当Veracode获取页面时,SessionId cookie可能是"abc123". Veracode将该cookie更改为"def456"并回发.此后,ASP.Net登录用户并使用"def456"作为SessionId.
In other words, when Veracode gets the page the SessionId cookie might be "abc123". Veracode changes that cookie to "def456" and posts back. ASP.Net logs in the user and uses "def456" as the SessionId henceforth.
每个Veracode我必须使成功登录之前创建的ASP.Net_SessionID cookie无效.当然,这很容易做到,我可以在用户成功登录后简单地重置ASP.NET_SessionId cookie.问题是,这导致用户被直接重定向回登录页面.那么会发生什么:
Per Veracode I must invalidate the ASP.Net_SessionID cookie created prior to a successful login. This is easy to do of course, I can simply reset the ASP.NET_SessionId cookie when the user successfully logs in. The problem is, this causes the user to be redirected right back to the login page. So what happens is this:
- 用户提交登录页面.
- 在服务器端,如果登录成功,我将ASP.NET_SessionId重置为某个新值(通过调用SessionIDManager.SaveSessionID(),这又会简单地重置ASP.Net_SessionID cookie).
- 用户被重定向到应用程序主页,然后立即被重定向回到登录页面
应用程序使用带有Webforms登录页面的表单身份验证.登录页面使用asp.net登录控件.在此控件的"OnAuthenticate"事件中,我有如下代码:
The application uses forms authentication, with a webforms login page. The login page uses the asp.net Login control. In the "OnAuthenticate" event of this control I have code like this:
protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
{
bool b = Membership.Validateuser(Login1.UserName, Login1.Password);
if(b)
{
e.Authenticated = true;
SessionIDManager mgr = new SessionIDManager();
string newId = mgr.CreateSessionID(Context);
mgr.SaveSessionID(Context, newId, out bool redirected, out bool cookieAdded);
}
}
这运行没有错误. ASP.net将用户重定向到应用程序主页.但是,asp.net会立即将用户从应用程序主页重定向到登录页面.
This runs without error. ASP.net redirects the user to the application home page. But then asp.net immediately redirects the user from the application home page back to the login page.
是否可以通过任何方式更改该SessionId cookie,
Is there any way to alter that SessionId cookie so that
- Veracode注入的SessionId cookie值被放弃.
- 用户保持身份验证,并且不会简单地重定向回登录页面.
我尝试运行在各种页面事件(PreInit,Load等)中更改SessionId的代码,并且所有这些都具有相同的结果-用户被重定向回登录页面.
I've attempted running the code that alters the SessionId in various page events (PreInit, Load, etc) and all of them have the same result--the user is redirected back to the login page.
请不要将此问题标记为已回答.关于这个问题,有几个答案,所有这些建议都像我上面一样建议重新设置SessionId cookie,并且所有这些注释都指出这实际上不起作用.
Please do not mark this question as already answered. There are several answers to this question on SO, all of which advise re-setting the SessionId cookie as I do above, and all of which have comments pointing out that this does not actually work.
推荐答案
经过反复的反复讨论,Veracode顾问给出了最后的答复,基本上是说不用担心".这是Veracode的回复:
After considerable back-and-forth the final reply from a Veracode consultant was the following, basically saying "don't worry about it." This is the reply from Veracode:
我还进一步研究了您的应用程序中的动态发现.我们正在查找会话固定的会话ID不是用于身份验证的ID,因此应用程序的风险很低.攻击者将无法通过仅控制ASP.NET_SessionId cookie来获得对用户身份验证会话的访问权限.通过保护.ssoIIMAuth cookie,您的应用程序已经在防止这种攻击.
I also looked further into the dynamic findings from your application. The session ID that we are finding session fixation on, is not the ID you are using for authentication, and so the risk for your application is low. An attacker would not be able to gain access to an authenticated session of a user by controlling just the ASP.NET_SessionId cookie. By protecting the .ssoIIMAuth cookie your application is already preventing this sort of attack.
这篇关于修复ASP.Net中的会话固定漏洞的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
