实现与会话变量安全性，它是如何不安全 [英] implementing security with session variables, how it is insecure

问题描述

我做的dotnet中基于Web的项目。目前我使用的会话变量实施安全。我把当前的用户ID和用户类型的会话，并从这些会话变量验证用户（说会话[用户ID]，会话[用户名]和Session [的UserType]）。

I am doing web based projects in dotnet. Currently I am implementing security using session variables. I keep current user id and user type in session and authenticate user from these session variables (say Session["UserId"],Session["UserName"] and Session["UserType"]).

请帮我了解，这可能是不安全的。我听说过这样的安全性被打破和应用程序可以很容易破解，喜欢它有可能获得的会话ID，并直接连接到会话ID等。

Please help me understand how this could be insecure. I've heard that such security can be broken and applications can be hacked very easily, like it is possible to get session id and directly connect to that session id etc.

请指导我在此。

推荐答案

在底层，标准的ASP.NET窗体身份验证工作基本上你所描述的一样。不安全主要来自事实，你基本上是告诉ASP.NET哎，别担心...我会处理这个问题。通过接管secuirty疑虑，您正在部署绳索由你自己挂（*）。微软已经投入了多年的人力到ASP.NET框架，它有一个相当强大的内置安全系统。你应该使用它。

Underneath the hood, standard ASP.NET Forms Authentication basically works the same way you are describing. The insecurity comes mostly from the fact that you are essentially telling ASP.NET "hey, don't worry... I'll handle this." By taking over secuirty concerns, you are deploying the rope by which you will hang yourself(*). Microsoft has invested years of manpower into the ASP.NET framework and it has a fairly robust built-in security system. You should use it.

Aristos的是找错了树......如果有人可以从用户/网站偷一个简单的饼干，那么他们可以打破ASP.NET的默认安全模式也。虽然这绝对是一个关注，这不是真正的问题在这里。

Aristos is barking up the wrong tree... if someone can steal "one simple cookie" from your user/site then they can break ASP.NET's default security model also. While that's definitely a concern, it's not really the issue here.

*例如，假设您创建一个名为MySecurePage安全页面对象，它总是会检查用户登录和执行code之前验证。好了，走来开发者乔一天，忘记使用MySecurePage并使用页面。哎呀，你刚刚elminated本网页上的所有安全性。这是一个简单的例子，但希望你得到的有多少不同的方式来搞砸了这个念头。

*For example, let's say you create a "secure" Page object called MySecurePage which always checks that the user is logged in and validated before executing code. Well, along comes Developer Joe one day and forgets to use MySecurePage and uses Page instead. oops, you've just elminated all the security on this page. This is a simple example, but hopefully you get the idea of how many different ways there are to screw this up.

这篇关于实现与会话变量安全性，它是如何不安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！