谷歌浏览器崩溃后恢复会话cookie，如何避免？ [英] Google Chrome restores session cookies after a crash, how to avoid?

问题描述

在谷歌浏览器（我看到这个版本35的Windows 8.1，到目前为止，我没有尝试其他版本）的时，浏览器崩溃（或者你干脆拔掉电源线......），你'会被要求为恢复previous会议当你再次打开它。良好的功能的，但它就会恢复会话Cookie太

On Google Chrome (I saw this with version 35 on Windows 8.1, so far I didn't try other versions) when browser crashes (or you simply unplug power cable...) you'll be asked to recover previous session when you'll open it again. Good feature but it will restore session cookies too.

我不想在这里讨论它是否是一个错误或不反正IMO这是一个中等安全漏洞，因为与该计算机的物理访问权限的用户可能会激怒崩溃来的偷未闭合的会议的所有的内容（你将不会被要求再次登录）。

I don't want to discuss here if it's a bug or not anyway IMO it's a moderate security bug because a user with physical access to that machine may "provoke" a crash to stole unclosed sessions with all their content (you won't be asked to login again).

最后，我的问题是：一个网站，如何避免这种情况？如果我使用的平原的使用会话cookie ASP.NET验证我不希望他们活到浏览器崩溃（即使重新启动计算机！）。

Finally my question is: how a web-site can avoid this? If I'm using plain ASP.NET authentication with session cookies I do not want they survive to a browser crash (even if computer is restarted!).

没有类似的进程ID中的某些用户代理字符串和JavaScript变量都恢复了（所以我不能存储随机种子，生成 - 例如 - 服务器端）。是否还有其他可行的？会话超时会处理这一点，但它通常是pretty的长，会有的不安全的窗口，我将消除。

There is not something similar to a process ID in the User Agent string and JavaScript variables are all restored (so I can't store a random seed, generated - for example - server side). Is there anything else viable? Session timeout will handle this but usually it's pretty long and there will be an unsafe window I would eliminate.

推荐答案

我没有发现任何东西，我可以为使用的进程id 的，以确保Chrome浏览器尚未重新启动，但有一个脏的变通办法：如果我设置一个计时器（假设有五秒钟的间隔），我可以检查多少时间，从最后一跳结束。如果经过时间太长，那么会话已经恢复和注销进行。大致是这样的（每一页）：

I didn't find anything I can use as process id to be sure Chrome has not been restarted but there is a dirty workaround: if I setup a timer (let's say with an interval of five seconds) I can check how much time elapsed from last tick. If elapsed time is too long then session has been recovered and logout performed. Roughly something like this (for each page):

var lastTickTime = new Date();

setInterval(function () {
    var currentTickTime = new Date();

    // Difference is arbitrary and shouldn't be too small, here I suppose
    // a 5 seconds timer with a maximum delay of 10 seconds.
    if ((currentTickTime - lastTickTime) / 1000 > 10) {
        // Perform logout
    }

    lastTickTime = currentTickTime;
}, 5000);

当然它不是一个完美的解决方案（因为恶意攻击者可能会对此进行处理并/或禁用JavaScript的），但到目前为止，它总比没有好。

Of course it's not a perfect solution (because a malicious attacker may handle this and/or disable JavaScript) but so far it's better than nothing.

新的答案有一个更好的解决方案非常欢迎。

New answers with a better solution are more than welcome.

这篇关于谷歌浏览器崩溃后恢复会话cookie，如何避免？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！