为什么不重用" ASP.NET_SessionId"? [英] Why not to reuse "ASP.NET_SessionId"?
问题描述
我是新来asp.net,我不明白为什么不重用ASP.NET_SessionId?
I am new to asp.net and I don't understand why not to reuse the "ASP.NET_SessionId"?
从我的理解,每个用户从服务器请求一个页面时,IIS创建了他一个ASP.NET_SessionId,并把它在用户浏览器的cookie。
From my understanding, every time a user requests a page from the server, the IIS creates for him an "ASP.NET_SessionId" and puts it in a cookie in the user browser.
我读到这里:
https://support.microsoft.com/en-us/kb/899918
而无法弄清楚,为什么我应该删除这个cookie对用户注销他之后。
I read about it here: https://support.microsoft.com/en-us/kb/899918 And couldn't figure out why I should delete this cookie for a user after he logout.
它说:
有时候,你可能不希望重用会话ID。如果你这样做,如果
你明白不重用会话ID的后果,用
以下code例如以放弃会话并清除
会话ID cookie:
Sometimes, you may not want to reuse the session ID. If you do and if you understand the ramifications of not reusing the session ID, use the following code example to abandon a session and to clear the session ID cookie:
Session.Abandon();
Session.Abandon();
Response.Cookies.Add(新的HttpCookie(ASP.NET_SessionId,));
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
你能解释我什么都删除这个cookie的优势和重用它的缺点是什么?
Could you explain me what are the advantages of deleting this cookie and the disadvantages of reusing it?
推荐答案
如果您不删除它,你使用HTTP那么它是一个安全隐患
If you don't delete it and you are using http then it's a security risk
例如
- 转至www.dodgyhacker.com,他们有它包含www.yoursite.com登录页面一种无形的iframe中。他们可以看到该cookie并将其发送到远程服务器
- 现在,导航到www.yoursite.com,该cookie不会改变,您登录
- 狡猾的黑客现在可以使用你的会话cookie并获得完全访问系统
在现实中有防止这种对他人的方式和我不是一个黑客所以这可能是稍有不妥,但这些都是必不可少的步骤。
In reality there are others ways of protecting against this and I'm not a hacker so this may be slightly wrong but those are the essential steps
这篇关于为什么不重用" ASP.NET_SessionId"?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
