prevent窗体身份验证cookie来翻过浏览器中使用 [英] Prevent forms authentication cookie to be used accross browsers
问题描述
我使用窗体身份验证在ASP.NET应用程序,我意识到,我可以复制身份验证cookie的内容后,我已经加了,在另一个浏览器的另一个实例手动创建的cookie,并在此之后,该应用程序自动记录从第二个浏览器。
I am using forms authentication in an ASP.NET application and I realised that I can copy the authentication cookie content after I've already logged in, manually create the cookie in another instance of another browser and, after that, the application logs in automatically from the second browser.
我想知道如果有一种方法prevent这(我不知道......像使身份验证票证莫名其妙喜欢的浏览器实例)的,因为它是现在,有人能窃取cookie并用它在不同的计算机,而不需要登录名或密码来访问同一个帐户。
I'd like to know if there's a way to prevent this (I don't know... something like making the authentication ticket somehow liked to the browser instance) as, as it is now, someone can steal the cookie and use it in a different computer to access the same account with no need of login or password.
推荐答案
有不是很大,你可以做。杰夫Prosise在这里有一个有趣的文章,他尝试创建一个HttpModule 。
There's not a great deal you can do. Jeff Prosise has an interesting article here where he tries creating an HttpModule.
不过,你可以看到这是不是有效的:
However you can see this isn't that effective:
...的User-Agent标头是最后一个
防线。和User-Agent
头很容易被人伪造
知道的User-Agent标头是
被用来验证会话ID。
...User-Agent headers are the last line of defense. And User-Agent headers are easily spoofed by someone aware that User-Agent headers are being used to validate session IDs.
我个人不会失去任何睡眠超过它。
Personally I wouldn't lose any sleep over it.
这篇关于prevent窗体身份验证cookie来翻过浏览器中使用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
