使aspx身份验证cookie无效 [英] invalidate aspx authentication cookie

问题描述

我有一个asp.net网络表单.用户进行身份验证时，它将创建一个名为.aspxauth

I have an asp.net web form. when a user authenticate, it create a Secured cookie called .aspxauth

退出登录，我称之为这两种方法

uppon logout, I call these 2 methods

FormsAuthentication.SignOut(); 
Session.Abandon()

问题是我们进行了渗透测试，如果我窃取了cookie，注销并手动重新插入cookie，则会再次登录.因此.aspauth不会使服务器端无效.

Problem is that we had penetration test and if I steal the cookie, logout and manually reinsert the cookie, I become loggued in again. So the .aspauth isn't invalidated server side.

我已经对其进行了搜索，但找不到该安全漏洞的答案.

I've googled it and I can't find the answer to that security breach.

推荐答案

Microsoft在此处确认了此问题:

Microsoft has acknowledged this issue here: https://support.microsoft.com/en-us/kb/900111

他们提供了缓解此漏洞的几种方法:

They offer several ideas for mitigating this vulnerability:

1. 使用SSL保护应用程序
2. 强制执行TTL和绝对过期
3. 在ASP.NET 2.0中使用HttpOnly cookie和表单身份验证
4. 在ASP.NET 2.0中使用Membership类

关于最后一个，我将粘贴站点中的内容以方便/保存:

Regarding the last one, I'll paste the contents from the site for convenience/preservation:

在ASP.NET 2.0中实现表单身份验证时，可以选择将用户信息存储在成员资格提供程序中.此选项是ASP.NET 2.0中引入的新功能.MembershipUser对象包含特定用户.

When you implement forms authentication in ASP.NET 2.0, you have the option of storing user information in a Membership provider. This option is a new feature that is introduced in ASP.NET 2.0. The MembershipUser object contains specific users.

如果用户已登录，则可以将此信息存储在MembershipUser对象的Comment属性中.如果使用此属性，则可以开发一种机制来减少ASP.NET 2.0中的cookie重播问题.该机制将遵循以下步骤:

If the user is logged in, you can store this information in the Comment property of the MembershipUser object. If you use this property, you can develop a mechanism to reduce cookie replay issues in ASP.NET 2.0. This mechanism would follow these steps:

1. 您创建一个挂接PostAuthenticateRequest事件的HttpModule.
2. 如果FormsIdentity对象位于HttpContext.User属性中，则FormsAuthenticationModule类会将表单身份验证票证识别为有效.
3. 然后，自定义HttpModule类获得对与已认证用户关联的MembershipUser实例的引用.您检查Comment属性以确定用户当前是否登录.

重要:您必须将信息存储在Comment属性中，该信息指示用户明确退出的时间.另外，当客户最终再次登录时，必须清除Comment属性中的信息.

Important: You must store information in the Comment property that indicates when the user explicitly signed out. Also, you must clear the information that is in the Comment property when the customer eventually signs in again.

如果用户当前未按Comment属性指示登录，则必须执行以下操作:

If the user is not currently logged in as indicated by the Comment property, you must take the following actions:

1. 清除cookie.
2. 将Response.Status属性设置为401.
3. 调用Response.End方法，该方法会将请求隐式重定向到登录页面.

使用此方法，仅当用户尚未明确注销并且表单身份验证票证尚未过期时，才会接受表单身份验证cookie.

By using this method, the forms authentication cookie will only be accepted if the user has not been explicitly signed out and the forms authentication ticket has not yet expired.

这篇关于使aspx身份验证cookie无效的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！