MVC 4的Web API安全 [英] MVC 4 Web Api Security
问题描述
我在网页API的安全性很新。我已经使用形式验证技术。当用户登录后,将创建一个令牌,并在用户的网页浏览器的cookie存储。对每个请求令牌了验证,如果用户被认证和授权的用户被授权访问的服务
I am very new in web api security. I have used form authentication technique. when user logs in, a token is created and stored as a cookie in user's web browser. On each request the token is varified and if user is authenticated and authorized user is given access to the service.
但我认为这种方法并没有在网页API的安全性。 Cookie可以很容易被复制,并在其他浏览粘贴,任何人都可以得到的服务。
but I think this approach does nothing in web api security. cookies can easily be copied and pasted in other browser and anyone can get the service.
我想使用的应用程序键和秘密与形式的认证一起。我不建议使用第三方服务一样OAuth进行身份验证。我不知道APP键的实施和秘密,它究竟是如何工作的。
I am thinking to use App key and secret along with form authentication. I am not suggested to use third party service like Oauth for authentication. I am not Sure about the Implementation of app key and secret that how it exactly works.
请wihtout使用第三方服务和prevent的cookie劫持等什么行动执行建设strengthly安全的Web API提供更好的方法来保护我的Web API。
Please provide better way to secure my web api wihtout using third party services and to prevent cookie hijacking etc. What actions are performed to build a strengthly secure web api.
推荐答案
窗体身份验证是不够好。你也可以做到以下几点:
The forms authentication is good enough. You can also do the following:
- 使用防伪(antifrogery)令牌。检查这或<一href=\"http://stackoverflow.com/questions/10851283/antiforgerytoken-de$p$pcated-in-asp-net-mvc-4-rc\">this
- 还将如果动作灵敏,你是否给函数的调用是来自同一个站点作出或not.You可以实现自己的行为过滤器这个是巨大的。 (检查推介网站是您的网站,或希望网站)
谢谢你们的意见。我猜你是对的。井ASP身份验证Cookie作为的HttpOnly饼干,这意味着即使网站有一些XSS漏洞它仍然是安全的,不能被窃取创建。我也建议,如果该网站是用于敏感操作(如银行),以确保饼干是绝对安全的任何地方使用https。
Edited:
Thanks guys for your comments. I guess you are right. Well authentication cookies in ASP are created as httpOnly cookies which means even if the site had some XSS vulnerabilities it will still be safe and cant be stolen. I would also suggest to use https everywhere if the site is used for sensitive operations (like a bank) to make sure the cookies are perfectly safe.
这篇关于MVC 4的Web API安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
