避免Web应用程序的会话劫持 [英] avoid session hijacking for Web Applications

问题描述

我阅读了有关会话劫持"的文章，并希望了解与之相关的更多信息.目前，我在ASP.NET中开发的Web应用程序正在为会话状态使用Cookieless = true模式.我们正在使用HTTPS，这是一个安全的连接，可以减少会话劫持.我知道当我们使用Cookielessless时，会话ID会嵌入URL中，这有时会很危险，如果用户将该URL传递给某人，而如果会话仍然存在，则其他用户将能够登录.因此，只想知道HTTPS绰绰有余，还是我应该做一些事情来保护我的Web应用程序.

I read about Session Hijacking articles and would like to some more information related to it. Currently my web application which is developed in ASP.NET , is using Cookieless =true mode for sessionstate. We are using HTTPS which is a secure connection which will reduce session hijacking. I know when we using Cookieless the session id is embedded in URL which can be dangerous sometimes if user pass this URL to somebody and other user will be able to log in if session is still alive. So just want to know is HTTPS is more than enough or i should do something to secure my web app.

推荐答案

HTTPS仅防止在客户端和服务器(或服务器和客户端)之间获取和更改数据.用户与朋友(或黑客:)共享链接无法为您提供帮助

HTTPS protects only from grabbing and changing data between client and server (or server and client). It can't help you if user share link with friends (or hackers :) )

作为一个选项，您可以在会话启动时将客户端IP保存在会话变量中，并检查每个请求是否当前IP和来自会话的IP相同.这样可以提供更高的安全性.

As an option you can save client IP in session variables on session start and check on every request if current IP and IP from session are the same. This will provide a bit more security.

这篇关于避免Web应用程序的会话劫持的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！