安全漏洞与周围的.NET FormsAuthentication和持久的cookie密码更改? [英] Security loophole around password changes with .NET FormsAuthentication and persistent cookies?
问题描述
OK,这里有一个场景:
OK, here's a scenario:
- Bob登录到mysite.com,它使用.NET窗体身份验证,和扁虱记住我。
- 夏娃偷Bob的笔记本电脑
- 鲍勃得到一个新的笔记本电脑,并更改他的密码。
现在在这一点上,夏娃有被盗的笔记本电脑,其中储存了一个永久的cookie,将登录她到mysite.com鲍勃 - 而且,据我所知,这将工作的即使Bob已经改变了他的密码的
Now at this point, Eve has a stolen laptop, which has a persistent cookie stored on it, that will log her in to mysite.com as Bob - and, as far as I can tell, this will work even after Bob has changed his password.
默认情况下,窗体身份验证cookie不包含Bob的密码(明文是否散列,或以其他方式加密) - 所以Bob的密码没有在cookie认证过程包括在所有,上周工作相同的用户名仍将今天的工作。
By default, the forms authentication cookie doesn't contain Bob's password (whether plaintext, hashed, or otherwise encrypted) - so Bob's password isn't involved in the cookie authentication process at all, and the same username that worked last week will still work today.
这是一个很容易的漏洞来解决 - 通过简单的设置FormsAuthentication.SetAuthCookie(用户名:passwordHash)或东西,然后解密和身份验证处理程序拆分饼干 - 但我不太相信这个问题存在'出来的盒子'...我失去的东西吗?
It's an easy enough loophole to work around - by simply setting FormsAuthentication.SetAuthCookie("username:passwordHash") or something and then decrypting and splitting the cookie in your authentication handler - but I have trouble believing this issue exists 'out of the box'... am I missing something?
修改:请注意,我这里假设为目的的记住我按钮是停止您不必输入密码每次你访问一个网站的时间。这适用于Facebook,微博,Gmail和几乎所有其他网站,我能想到的 - 我会非常惊讶,如果这不是在.NET中FormsAuthentication的永久性Cookie选项的目的
EDIT: Note that I'm assuming here that the purpose of a "remember me" button is to stop you having to enter your password every time you visit a website. This works on Facebook, Twitter, Gmail, and practically every other website I can think of - and I'd be very surprised if this isn't the purpose of the 'persistent cookie' option in .NET FormsAuthentication.
此外,是的,我承认,在执行双因素身份验证的每个的传入的请求会带来一定的开销,但实际它只是比基于从数据库检索用户稍微更昂贵的用户名,你很可能会做反正
Also, yes, I accept that performing two-factor authentication on every incoming request incurs a certain overhead, but in real terms it's only marginally more expensive than retrieving the user from the database based on their username, which you'd probably be doing anyway.
编辑2 :看来,至少有一个主要的.NET网站 - codePlex.com - 很容易受到这一点;看<一个href=\"http://$c$cplex.$c$cplex.com/discussions/350646\">http://$c$cplex.$c$cplex.com/discussions/350646
EDIT 2: It appears that at least one major .NET site - CodePlex.com - is vulnerable to this; see http://codeplex.codeplex.com/discussions/350646
推荐答案
也许这将是有意义的只接受你最后一次重设密码后发出FormsAuth门票。
Perhaps it would make sense to only accept FormsAuth tickets issued after your last password reset.
因此,在Global.asax中的AuthenticateRequest,提取加密票FormsAuthenticationTicket.IssueDate,它比较的用户最后一次重置密码(你需要这个存储在数据库中,当他们重置其密码)的日期。
So in Global.asax AuthenticateRequest, extract the FormsAuthenticationTicket.IssueDate from the encrypted ticket, and compare it to the date of that users last password reset (you would need to store this in your database when they reset their password).
如果该机票是该日期之前发出的,则拒绝票,不验证他们的身份,并要求他们再次中的登录
If the ticket was issued before that date, then reject the ticket, do not authenticate them and ask them to login in again.
我还没有这个实施自己,所以我可能会错过在理论上一个洞某处...
I haven't implemented this myself, so I could be missing a hole in the theory somewhere...
这篇关于安全漏洞与周围的.NET FormsAuthentication和持久的cookie密码更改?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
