会话固定-在asp.net core 2上更改sessionId [英] Session Fixation - Change sessionId on asp.net core 2
问题描述
根据我所了解的我们拥有的
Based on what i have understood we have
-
sessionId存储在cookie.AspNetCore.Session中
-
删除Cookie并清除会话无济于事.
sessionIdis stored in the cookie.AspNetCore.SessionDeleting the cookies and Clearing the session does nothing.
context.HttpContext.Session.Clear();
foreach (var cookie in context.HttpContext.Request.Cookies.Keys)
{
context.HttpContext.Response.Cookies.Delete(cookie);
}
所以问题是我们可以以某种方式更改sessionId,还是有一种方法可以保护我们免受会话固定的侵害?
So the question is can we change the sessionId somehow, or is there a way to protect us from Session-Fixing?
推荐答案
...或者有什么方法可以保护我们免受会话固定的伤害?
...or is there a way to protect us from Session-Fixing?
是的! OWASP 状态:
不幸的是,某些平台(尤其是Microsoft ASP)不会为sessionid cookie生成新值,而只是将现有值与新会话相关联.这样可以保证几乎所有的ASP应用程序都容易受到会话修复的攻击,除非它们已采取具体措施加以保护.
Unfortunately, some platforms, notably Microsoft ASP, do not generate new values for sessionid cookies, but rather just associate the existing value with a new session. This guarantees that almost all ASP apps will be vulnerable to session fixation, unless they have taken specific measures to protect against it.
同一页上推荐了一种ASP.Net方法,我们将其用于所有ASP.Net应用程序并通过了笔测试.我认为它对于ASP.Net Core仍然有效:
The same page recommends an approach for ASP.Net, which we used for all of our ASP.Net applications and which passed pen testing. I think it is still valid for ASP.Net Core:
这个想法是,由于ASP禁止对ASPSESSIONIDxxxxx cookie的写访问,并且不允许我们以任何方式对其进行更改,因此我们必须使用我们可以控制的其他cookie来检测任何篡改.因此,我们将用户浏览器中的Cookie设置为随机值,并将会话变量设置为相同的值.如果会话变量和Cookie值不匹配,则说明我们存在潜在的固定攻击,应该使该会话无效,并强制用户再次登录.
The idea is that, since ASP prohibits write access to the ASPSESSIONIDxxxxx cookie, and will not allow us to change it in any way, we have to use an additional cookie that we do have control over to detect any tampering. So, we set a cookie in the user’s browser to a random value, and set a session variable to the same value. If the session variable and the cookie value ever don’t match, then we have a potential fixation attack, and should invalidate the session, and force the user to log on again.
这是我们如何在.Net Core Razor Pages中进行此处理的简化示例,应使您了解如何自己实现它:
This is a simplified example of how we approached this in .Net Core Razor Pages and should give you an idea of how to implement it yourself:
public IActionResult OnPost()
{
Login();
return Redirect("~/Login");
}
private void Login()
{
// Check the user's credentials and do all the other necessary stuff.
// ...
// Create the random value we will use to secure the session.
string authId = GenerateAuthId();
// Store the value in both our Session and a Cookie.
HttpContext.Session.SetString("AuthId", authId);
CookieOptions options = new CookieOptions()
{
Path = "/",
HttpOnly = true,
Secure = true,
SameSite = Strict
};
Response.Cookies.Append("AuthCookie", authId, options);
}
private string GenerateAuthId()
{
using(RandomNumberGenerator rng = new RNGCryptoServiceProvider())
{
byte[] tokenData = new byte[32];
rng.GetBytes(tokenData);
return Convert.ToBase64String(tokenData);
}
}
在需要的地方检查会话和Cookie的内容.如果它们不匹配,则应该Clear会话(我认为Session.Abandon在.Net Core中仍然不可用)并注销用户.
Check the content of the Session and Cookie wherever you need it. If they don't match, you should Clear the Session (I don't think Session.Abandon is still available in .Net Core) and log out the user.
public void OnGet()
{
string cookieValue = Request.Cookies["AuthCookie"];
string sessionValue = HttpContext.Session.GetString("AuthId");
if (cookieValue == null || sessionValue == null || cookieValue != sessionValue )
{
// Invalidate the session and log out the current user.
}
}
这篇关于会话固定-在asp.net core 2上更改sessionId的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
