MVC.NET中的会话 [英] Session in MVC.NET
问题描述
嘿!
我对MVC框架中的会话存在安全性问题.
我正在开发一个Web应用程序,并且必须跟踪该应用程序中的用户操作
(他们提交的数据是什么),所以我需要将其存储在会话中.
从会话中获取一些对象并不是一件容易的事,因为每次您都这样做:
Hey!
I have question about security issues with session in MVC framework.
I am developing a web app and i HAVE to track users doings in this app
(what data they submit) so i need store this in session.
Getting some objects from session is not pretty since you do something like this every time:
var some_object = (Session['some_key']!=null)?(some_type)Session['some_key']:{null_or_other_not_nullable_value_like-1};
在这种情况下,您还必须记住对象的会话密钥及其类型.
不好玩,越野车很吸引人.另外,您只能从控制器中的会话中获得一些东西.ouch.
所以...我写了抽象类SessionAdapter
In this case you have to remember session key to object and its type too.
Not nice and buggy inviting. Also you can get something from session only in controller... ouch.
So... I wrote abstract class SessionAdapter
abstract class SessionAdapter
{
public static HttpSessionState Session;
private struct SessionKeys
{
public const string some_key = "some_key";
}
public static some_type GetSomeObject()
{
return (Session[SessionKeys.some_key]!=null)?some_type)Session[SessionKeys.some_key]:{null_or_other_not_nullable_value_like-1};
}
}
好的!但是,我如何在那堂课上上课?
当应用启动时,我从Global.asax写入其字段.很明显.
所以:
Nice! But how I get a session in that class?
I write its field from Global.asax when app starts. That obvious.
So:
public MvcApplication()
{
//Add event handler
AcquireRequestState += new EventHandler(SetSession);
}
{...}
void SetSession(object sender, EventArgs e)
{
try
{
SessionAdapter.session = Session;
}
catch (HttpException error)
{
//do nothing
//if session doesn't exist must not needed anyway
}
}
哦,美丽!
现在,我可以使用此全局
在我的应用程序中获取任何会话对象
抽象类!是的!
但是...(嗯,总有屁股...)这是我的问题:
如果理论上有2个(或什至更多)用户正在浏览页面,并且由于SessionAdapter类中的静态变量Session对所有用户都是全局的,那么当在相同时间内有2个或更多请求时,它可以被覆盖怎么办?他们的会议可以合并成一个大混乱.
它是大的安全漏洞吗?
这样的情况将不太可能发生,因为有1或2个人会定期使用此应用程序,但是如果此解决方案能达到最佳效果,那么我似乎更愿意在其他应用程序中重用它.
那么您能告诉我些什么呢?我应该担心吗?用那个吗?
Ouuuu beautifull!
Now i can get ANY session object ANYWHERE in my app with this global
abstract class! Yeah!
But... (Hmmm there are always buts...) Here goes my question:
What if in theory 2(or even more) users would be browsing page and, since static variable Session in SessionAdapter class is global for all users it can be overwriten when there be 2 or more request in the SAME time? They''re sessions could be merge in one big, mess.
Is it big security flaw?
Situation like that will be very unlikely since 1 or 2 person will be using this app regularly, but if this solution will be as good as it''s seem I prefer to reuse that in other apps.
So what u can tell me about this? Should I worried? Use that?
Solve that another way?
推荐答案
将用户数据添加到会话中时,也许可以将一些唯一的标识符(我不是指GUID)附加到会话中.密钥名称,以便您可以区分不同用户的数据.这是一个hack,但在我看来,全局静态会话对象也是这样.
When you add user data to the session, perhaps you could append some unique identifier (I don''t mean a guid) to the key name so that you can differentiate between different user''s data. It''s a hack, but in my mind, so is a global static session object.
从时间的角度来看,我可以说这是个坏主意.
就像我担心的那样,不同用户的会话在同一时间合并在一起,我不知道为什么(我认为是墨菲定律).
因此,我包装了会话访问权限:
From perspective of time I can say that was bad idea.
As I was afraid, sessions of diffrent users was merged at same point I don''t know why (Murphys law I think).
So I make wrapping for session access:
public static CourierDaySession GetCourierDaySession(this HttpSessionStateBase session)
{
var return_value = session[__SessionKeys.COURIER_DAY_SESSION] as CourierDaySession;
if (return_value == null)
{
return_value = new CourierDaySession();
session.SetCourierDaySession(return_value);
}
return return_value;
}
public static void SetCourierDaySession(this HttpSessionState session, CourierDaySession courier_day_session)
{ session[__SessionKeys.COURIER_DAY_SESSION] = courier_day_session; }
{...}
HttpContext.Current.Session.GetCourierDaySession()
一切都在一个存储在会话和数据库中的对象中.没有并发性问题,因为它存储在数据库中,所以一直存在.
Everything is in one Object stored in session and DB. No concurency problem and it''s persistent since stored in DB at some point.
这篇关于MVC.NET中的会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
