某些黑客可以从用户那里窃取Web浏览器cookie并使用该名称登录网站吗? [英] Can some hacker steal a web browser cookie from a user and login with that name on a web site?
问题描述
阅读此问题, 不同的用户会获得相同的cookie-.ASPXANONYMOUS中的值
寻找一个解决方案,我开始思考,是否有人真的可以通过某种方式窃取cookie,然后将其放置在他的浏览器中并以管理员身份登录.
and search for a solution, I start thinking, if it is possible for some one to really steal the cookie with some way, and then place it on his browser and login lets say as administrator.
您知道表单身份验证如何确保即使cookie被盗,黑客也无法在实际登录时使用它?
Do you know how form authentication can ensure that even if the cookie is stolen, the hacker does not get to use it in an actual login?
还有其他自动防御机制吗?
Is there any other alternative automatic defense mechanism?
推荐答案
是否有可能窃取Cookie和 验证为管理员身份?
Is it possible to steal a cookie and authenticate as an administrator?
是的,如果未对Forms Auth cookie进行加密,则有人可能会入侵他们的cookie以赋予他们更高的特权,或者如果不需要SSL,则复制另一个人的cookie.但是,您可以采取一些措施来减轻这些风险:
Yes it is possible, if the Forms Auth cookie is not encrypted, someone could hack their cookie to give them elevated privileges or if SSL is not require, copy someone another person's cookie. However, there are steps you can take to mitigate these risks:
在system.web/authentication/forms元素上:
On the system.web/authentication/forms element:
- requireSSL = true.这要求cookie仅通过SSL传输
- slidingExpiration = false.设置为true时,可以重新激活过期的票证.
- cookieless = false.请勿在您要强制执行安全性的环境中使用无cookie会话.
- enableCrossAppRedirects = false.如果为假,则不允许跨应用程序处理Cookie.
- 保护=全部.使用在machine.config或web.config中指定的机器密钥对Forms Auth cookie进行加密和散列.此功能将阻止某人入侵自己的cookie,因为此设置告诉系统生成cookie的签名,并在每次身份验证请求时,将签名与传递的cookie进行比较.
如果您愿意,可以通过在Session中放置某种身份验证信息(例如,用户名的哈希值(永远不要使用纯文本的用户名或密码)来添加一点保护).这将要求攻击者窃取Session cookie和Forms Auth cookie.
If you so wanted, you could add a small bit of protection by putting some sort of authentication information in Session such as a hash of the user's username (Never the username in plain text nor their password). This would require the attacker to steal both the Session cookie and the Forms Auth cookie.
这篇关于某些黑客可以从用户那里窃取Web浏览器cookie并使用该名称登录网站吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
