ASP.NET 中的会话固定 [英] Session Fixation in ASP.NET

问题描述

我想知道如何防止 ASP.NET 中的会话固定攻击(请参阅 http://en.wikipedia.org/wiki/Session_fixation)

I'm wondering how to prevent Session fixation attacks in ASP.NET (see http://en.wikipedia.org/wiki/Session_fixation)

我的方法通常是在有人登录时生成并发出新的会话 ID.但是这种级别的控制在 ASP.NET 领域中可行吗?

My approach would to this would normally be to generate and issue a new session id whenever someone logs in. But is this level of control possible in ASP.NET land?

推荐答案

一直在对此进行更多的挖掘.在任何 Web 应用程序中防止会话固定攻击的最佳方法是在用户登录时发出新的会话标识符.

Have been doing more digging on this. The best way to prevent session fixation attacks in any web application is to issue a new session identifier when a user logs in.

在 ASP.NET 中，Session.Abandon() 不足以完成此任务.Microsoft 在 http://support.microsoft.com/kb/899918 中声明:"何时您放弃会话，会话 ID cookie 不会从用户的浏览器中删除.因此，一旦会话被放弃，对同一应用程序的任何新请求都将使用相同的会话 ID，但会有一个新的会话状态实例.""

In ASP.NET Session.Abandon() is not sufficient for this task. Microsoft state in http://support.microsoft.com/kb/899918 that: ""When you abandon a session, the session ID cookie is not removed from the browser of the user. Therefore, as soon as the session has been abandoned, any new requests to the same application will use the same session ID but will have a new session state instance.""

已在 https://connect.microsoft.com/feedback/viewfeedback.aspx?FeedbackID=143361&wa=wsignin1.0&siteid=210#details

有一种解决方法可确保在 http://support.microsoft 中详细生成新的会话 ID.com/kb/899918 这涉及调用 Session.Abandon 然后清除会话 ID cookie.

There is a workaround to ensure new session ids' are generated detailed at http://support.microsoft.com/kb/899918 this involves calling Session.Abandon and then clearing the session id cookie.

如果 ASP.NET 不依赖开发人员来做这件事会更好.

Would be better if ASP.NET didn't rely on developers to do this.

这篇关于ASP.NET 中的会话固定的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！