ASPXAUTH Cookie的安全标志 [英] Secure Flag for ASPXAUTH Cookie
问题描述
我们有一个面向外部的应用程序,该应用程序已通过外部安全公司的渗透测试.该应用程序已在ASP.NET MVC4上开发,并在IIS8/Windows 2012 Server上运行.
We have an externally facing application which was penetration-tested by an external security company. Application has been developed on ASP.NET MVC4 and running on IIS8/Windows 2012 Server.
报告的漏洞之一是ASPXAUTH不安全.当我检查Cookie检查器时,有一些带有Secure标志的Cookie.但是ASPXAUTH并不是其中之一.
One of the vulnerabilities reported was ASPXAUTH is not secure. When I checked on the cookie inspector, there are some cookies with Secure flag. But ASPXAUTH was not one of them.
我做了一些研究,并在下面的web.config中设置了这些标志
I did a bit of research, and set these flags below on the web.config
<forms loginUrl="~/Account/Login" timeout="2880" requireSSL="" name="AppName" />
和
<httpCookies httpOnlyCookies="true" requireSSL="true" />
尽管有这些设置,但身份验证cookie并未标记为安全.我认为这些标志足以将应用程序cookie标记为安全,但是还有一些其他cookie也未标记为安全.我不太担心它们,因为它们不包含任何敏感信息.但是我想将ASPXAUTH标记为安全.
Despite these settings, the authentication cookie is not marked as secure. I assumed that thse flags should be enough to mark application cookies as secure, but there are a few other cookies which are also not marked as secure. I am not too concerned about them as they don't contain any sensitive information. But I would like to flag ASPXAUTH as secure.
我的问题是
- 在web.config上设置了这些标志后,是否在没有安全标志的情况下使用ASPXAUTH成为安全问题?
- 如果是这样,您能告诉我将其标记为安全的正确方法是什么吗?
谢谢.
推荐答案
我发现这段代码使我的身份验证cookie安全.我不记得它的来源,但是如果将其添加到global.asax中,它将对问题进行排序.我不知道为什么,但是您的标记中的requireSSL = true不足以使其安全.
I found this piece of code to which made my authentication cookie secure. I cant remember the source of this but if you add it to your global.asax, it sorts the issue. I do not know why but requireSSL=true in your tag was not enough to make it secure.
protected void Application_EndRequest(Object sender, EventArgs e)
{
string authCookie = FormsAuthentication.FormsCookieName;
foreach (string sCookie in Request.Cookies)
{
if (sCookie.Equals(authCookie))
{
// Set the cookie to be secure. Browsers will send the cookie
// only to pages requested with https
var httpCookie = Response.Cookies[sCookie];
if (httpCookie != null) httpCookie.Secure = true;
}
}
}
这篇关于ASPXAUTH Cookie的安全标志的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!