手动检查用户是否更改了cookie值 [英] Checking if user has changed cookie value, manually

问题描述

我正忙于我的项目的登录系​​统。

I am busy with a login system for my project.

只是为了增加安全性。.如何检查/检测用户是否手动操作更改了cookie值？

Just for an extra step to the security.. How can I check/detect if a user has manually changed a cookie value?

是否有一些简单的方法？还是我必须设置一个额外的Session变量并将其与之匹配？话虽如此，浏览器是否可以跟踪正常的ASP.Net会话？

Is there some easy way of doing this? Or do I have to set an extra Session variable and match it up with that? With this being said, is a normal ASP.Net Session traceable by the browser? And viewable to the user?

谢谢。

推荐答案

将数字签名附加到cookie值，并在读回时检查签名。这样，如果cookie值被篡改，将非常明显。

You could append a digital signature to the cookie value and check the signature when you read it back. That way, if the cookie value is tampered with it will be very apparent.

private string sign(string hashStr, byte[] secret) 
{
    // Compute the signature hash
    HMACSHA1 mac = new HMACSHA1(secret);
    byte[] hashBytes = Encoding.UTF8.GetBytes(hashStr);
    mac.TransformFinalBlock(hashBytes, 0, hashBytes.Length);
    byte[] hashData = mac.Hash;

    // Encode the hash in Base64.
    string hashOut = Convert.ToBase64String(hashData);

    return hashOut;
}

编辑：修复了编码器，使其明确为UTF -8。

Fixed the encoder so it's explicitly UTF-8.

像往常一样，在调用此字符串之前，还应确保在字符串中添加一些盐，请参见：为PHP密码保护哈希和盐

As usual, you should also be sure to add some salt to your string before calling this, see: Secure hash and salt for PHP passwords

这篇关于手动检查用户是否更改了cookie值的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！