是我的方式，安全应该避免会话劫持 [英] Is the way i do, secure enought to avoid session hijacking

问题描述

我在会话中存储用户登录信息（不是密码）。我还用

使用，无cookie会话。我意识到，如果有人在他/她登录系统后复制粘贴URL

给另一个人，那么另一个人的

浏览器打开就像打开一样发件人已登录。


1）人员A登录系统。 （登录信息存储在SQL中

会话状态）


2）Person复制贴片并将其发送给B人（格式为

url是 http：// domain /（sessionid）/ XYZ .aspx ）


3）当B人打开URL时，其窗口打开，好像人A是登录到系统的
。


这是一个安全威胁。我通过执行以下操作克服了这个问题。


当用户登录系统时，会生成一张登录凭单，并将其存储在会话中。这个登录票据包含两件事，一个是

客户端IP地址，另一个是用户代理。


然后在每个请求中，我验证是否注册登录凭证

信息相同。


如果A人向人B发送URL，那么我认为，人Bs ip地址

应该与A人不同。


我在MSND上发现了一篇文章，
http://msdn.microsoft.com/msdnmag/is...08/WickedCode/ （Foiling Session

劫持尝试）。杰夫所做的方式类似于我所做的那样。这是否可信。唯一的想法是我想知道用户IP

地址是否会在每次请求时发生变化！

I am storing user login information (not password) in the session. I also
use, cookieless session. I realized that, if someone copy-pastes the URL
after he/she logged in to the system to another person, the other person''s
browser opens as if the sender logged in.

1) Person A Logins to the system. (login information is stored in SQL
Session state)

2) Person A copy-paster the url and sends it to person B (format of the
url is http://domain/(sessionid)/XYZ.aspx)

3) When person B opens the URL, its window opens as if person A was
logged in to the system.

This is a security threat. I have overcome this by doing the following.

When user logins to the system, a login ticket is generated and
it is stored in the session. This login ticket contains two things, one is
client ip address, the other one is user-agent.

Then at the each request, I validate if the registered login ticket
information is same.

If person A sends URL to person B, then I assumed that, person Bs ip address
should be different than person A.

I found an article on MSND,
http://msdn.microsoft.com/msdnmag/is...08/WickedCode/ (Foiling Session
Hijacking Attempts). The way Jeff have done is similar to the one that i
have done. Is this relaible. The only think i wonder is if the users IP
address changes at each request!

推荐答案

嗨希望，


你的方法看起来很合理。客户端的IP地址不能在请求之间更改
。毕竟，它是返回地址。对于客户的

HTTP消息。


-

HTH，


Kevin Spencer

Microsoft MVP

..Net开发人员

有时候你吃大象。

有时候大象吃了你。


Hope Paka < UT ******* @ hotmail.com>在消息中写道

news：es ************** @ TK2MSFTNGP09.phx.gbl ...

Hi Hope,

Your method looks pretty sound to me. The client''s IP address cannot change
between requests. It is, after all, the "return address" for the client''s
HTTP messages.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Sometimes you eat the elephant.
Sometimes the elephant eats you.

"Hope Paka" <ut*******@hotmail.com> wrote in message
news:es**************@TK2MSFTNGP09.phx.gbl...

我正在存储用户登录会话中的信息（不是密码）。我也使用，无cookie会话。我意识到，如果有人在他/她登录系统后将URL复制粘贴给另一个人，则会打开另一个人的浏览器，就好像发件人已登录一样。

1）人员A登录系统。 （登录信息存储在SQL
会话状态）

2）人员复制网址并将其发送给B人（网址格式为 http：// domain /（sessionid）/XYZ.aspx ）
< 3）当B人打开URL时，其窗口打开，好像A人已登录系统一样。

这是一个安全威胁。我通过执行以下操作克服了这个问题。

当用户登录系统时，会生成一张登录票据，并将其存储在会话中。这个登录票据包含两件事，一个是客户端IP地址，另一个是用户代理。

然后在每个请求中，我验证登记的登录票是否
信息是一样的。

如果A人向人B发送URL，那么我认为，Bs ip
地址应该与A人不同。

我在MSND上发现了一篇文章，
http：/ /msdn.microsoft.com/msdnmag/is...08/WickedCode/ （Foiling
会话劫持尝试）。杰夫所做的方式与我所做的相似。这是否可信。唯一的想法是我想知道每个请求的
用户IP地址是否发生变化！

I am storing user login information (not password) in the session. I also
use, cookieless session. I realized that, if someone copy-pastes the URL
after he/she logged in to the system to another person, the other person''s
browser opens as if the sender logged in.

1) Person A Logins to the system. (login information is stored in SQL
Session state)

2) Person A copy-paster the url and sends it to person B (format of
the url is http://domain/(sessionid)/XYZ.aspx)

3) When person B opens the URL, its window opens as if person A was
logged in to the system.

This is a security threat. I have overcome this by doing the following.

When user logins to the system, a login ticket is generated and
it is stored in the session. This login ticket contains two things, one is
client ip address, the other one is user-agent.

Then at the each request, I validate if the registered login ticket
information is same.

If person A sends URL to person B, then I assumed that, person Bs ip
address should be different than person A.

I found an article on MSND,
http://msdn.microsoft.com/msdnmag/is...08/WickedCode/ (Foiling
Session Hijacking Attempts). The way Jeff have done is similar to the one
that i have done. Is this relaible. The only think i wonder is if the
users IP address changes at each request!

您是否考虑过做NAT的路由器？如果我没有弄错的话，我们企业网络上不同计算机上的请求

将显示为来自同一IP的
，所以如果我通过电子邮件发送链接到同事，他们可能

最终结束我的会议。


只是一个想法。


-Phil

Have you considered routers that do NAT? If I''m not mistaken, requests
from different computers here on our corporate network will appear to
come from the same IP, so if I email a link to a co-worker, they might
end up with my session.

Just a thought.

-Phil

你是完全正确的菲利普？

然后唯一剩下的部分是用户代理的验证。但是

可能，你的同事有相同的浏览器和机器配置

你。这是一个真正的问题，但这不仅仅是我的问题。怎么这个

无状态字可以做得更安全？

我以为只有IP和用户代理才是特定于客户的，有没有

其他第三个参数？


" Phillip Ian" < pH值**** @ comcast.net>在消息中写道

news：11 ******************** @ g44g2000cwa.googlegrou ps.com ...

You are exactly right Philip?
Then the only remaining part is the validation of the user-agent. But
probably, your co-worker have a same browser and machine configuration with
you. This is a real problem but this couldn''t be only my problem. How this
stateless word can be done more secure??
I thought only IP and user-agents are specific to clients, are there any
other third parameter?

"Phillip Ian" <ph****@comcast.net> wrote in message
news:11********************@g44g2000cwa.googlegrou ps.com...

您是否考虑过做NAT的路由器？如果我没有弄错的话，我们企业网络上不同计算机的请求似乎来自同一个IP，所以如果我通过电子邮件发送给同事的链接，他们可能会结束了我的会议。

只是一个想法。

-Phil

Have you considered routers that do NAT? If I''m not mistaken, requests
from different computers here on our corporate network will appear to
come from the same IP, so if I email a link to a co-worker, they might
end up with my session.

Just a thought.

-Phil

这篇关于是我的方式，安全应该避免会话劫持的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！