FormsAuthentication:安全吗? [英] FormsAuthentication: Is it secure?

问题描述

使用 FormsAuthentication 内置到 asp.net 中，创建登录系统以为经过身份验证的用户创建cookie的登录系统非常简单快捷:

Using FormsAuthentication build into asp.net it's very quick and easy to create a login system that creates a cookie for authenticated users:

FormsAuthentication.SetAuthCookie(uniqueUsername, false);

在 Web.Config 文件中与一些代码配对:

Paired with some code in the Web.Config file:

<authentication mode="Forms">
  <forms loginUrl="Login.aspx" timeout="30" defaultUrl="Dashboard.aspx" protection="All" />
</authentication>
<authorization>
  <deny users="?" />
</authorization>

这会将所有请求反弹回 Login.aspx ，直到批准用户并使用SetAuthCookie()方法调用创建cookie.

This will bounce all requests back to Login.aspx until the user is approved and a cookie is created using the SetAuthCookie() method call.

这样安全吗?
我使用的经验法则是，我不会在他们没有发送给我的客户端上存储任何数据.因此，我过去所做的就是保留cookie中使用的用户名和密码，然后对每个请求重新进行身份验证.

Is this secure enough?
The rule of thumb I use is that I don't store any data on the client that they've not sent me. So what I've done in the past is hold the username and password used in a cookie, then re-authentic this with every request.

使用这种方法每次都要重新认证，这会产生额外的开销，但这也意味着我没有在客户端上存储任何服务器数据.

There's the extra overhead of re-authenticating everytime with this approach, but it also means I've not storing any server data on the client.

我的烦恼
我担心的是，通过使用SetAuthCookie()方法调用，用户名已存储在客户端计算机上.那么有人可以破坏使用的加密并将存储的用户名替换为另一个吗?

My worry
My concern is that by using the SetAuthCookie() method call, that the username is being stored on the client machine. Is it then possible for someone to break the encryption being used and substitute the username being stored for another?

我认为我过于偏执，所使用的加密类型和级别已经足够，但我想对此话题可以征询一些专家的意见.

I think I'm being overly paranoid and that the type and level of encryption being used is adequate, but thought I'd get some expert input on the topic.

推荐答案

因此，我过去所做的就是保留cookie中使用的用户名和密码，然后在每次请求时重新进行身份验证.

So what I've done in the past is hold the username and password used in a cookie, then re-authentic this with every request.

您应该不使用此方法.密码不应该存储在身份验证票证中.原因是如果身份验证票证遭到破坏，则攻击者将获得用户的密码.可以通过对身份验证票证cookie进行加密来减轻这种风险，但是我想您是将cookie以纯文本格式存储的.

You should not use this approach. The password should not be stored in an authentication ticket. The reason being is if the authentication ticket is compromised then the attacker has the user's password. This risk can be mitigated by encrypting the authentication ticket cookie, but I presume you were storing the cookie in plain-text.

我担心的是，通过使用SetAuthCookie()方法调用，用户名已存储在客户端计算机上.那么有人可以破坏使用的加密并将存储的用户名替换为另一个吗?

My concern is that by using the SetAuthCookie() method call, that the username is being stored on the client machine. Is it then possible for someone to break the encryption being used and substitute the username being stored for another?

正如Shiraz所指出的那样，仅当您创建持久性cookie时，该cookie才会持久保存在客户端计算机上. (SetAuthCookie的参数之一指示是否创建此类cookie.

As Shiraz noted, the cookie is only persisted on the client machine if you create a persistent cookie. (One of the parameters to SetAuthCookie indicates whether or not to create such a cookie.

即使有人破坏了加密方案来修改cookie以提供其他用户名，他们也会遇到问题，因为身份验证票还经过了数字签名，这意味着ASP.NET可以检测cookie的内容是否已被修改.要伪造数字签名，攻击者将需要知道服务器使用的盐，并且如果用户能够理解这意味着他可以访问您的Web服务器的文件系统，那么现在您遇到了更大的问题.

Even if someone broke the encryption scheme to modify the cookie to supply a different username they'd run into problems because the authentication ticket is also digitally signed, meaning ASP.NET can detect if the contents of the cookie have been modified. To forge a digital signature the attacker would need to know the salt used by the server, and if the user can figure that out it implies he has access to your web server's file system, so now you've got bigger problems.

要理解的另一件事是，身份验证票证已到期，这将使票证的有效期有限.因此，即使有人要窃取用户的cookie，攻击者将不得不使用为您的表单身份验证系统指定的timeout值(默认为30分钟)来限制使用被窃票的时间.

Another thing to understand is that the authentication ticket has an expiry, which puts a finite lifetime on the validity of the ticket. So even if someone were to steal a user's cookies, the time the attacker would have to use that stolen ticket would be limited based on the timeout value you specify for the forms authentication system (30 minutes by default).

总而言之，正式的ASP.NET表单身份验证系统将比单独的开发人员能够实现的安全得多.开发人员应努力使用表单身份验证系统，而不要出于多种原因(包括更好的安全性，不必重新发明轮子，采用标准做法)推出自己的解决方案，以便加入团队的其他开发人员没有那么多的知识弯曲以加快速度，等等.

In conclusion, the official ASP.NET forms authentication system is going to be much more secure than something a lone developer will be able to implement. Developers should strive to use the forms authentication system rather than roll their own solution for a myriad of reasons, including better security, not having to reinvent the wheel, adopting standard practices so other developers who join the team don't have as large a learning curve to get up to speed, and so on.

有关表单身份验证系统的更多细节，以及如何保护票证，各种<forms>配置设置如何工作，等等，请参见:

For more nitty gritty details on the forms authentication system and how the ticket is secured, how the various <forms> configuration settings work, and so on, see: Forms Authentication Configuration and Advanced Topics.

这篇关于FormsAuthentication:安全吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！