登录asp.net后如何更改会话ID [英] how to change session id after login in asp.net
问题描述
我有一个使用表单身份验证和成员身份的网站.用户必须启用cookie才能使用该网站.我被要求更改代码,以便用户登录后立即更改会话ID.显然,这可以防止会话固定攻击(
I have a website that's using forms authentication and membership. A user must have cookies enabled to use the site. I've been asked to change the code so that the session id is changed as soon as a user logs in. Aparently this will protect against a Session Fixation attack (http://en.wikipedia.org/wiki/Session_fixation). Does anyone know how I can change the session id without losing the whole session ? PHP has a specific method for doing this but I can't find a .NET equivalent.
推荐答案
Here's a blog post that talks about this:
ASP.NET不直接支持重新生成会话的功能ID.请参阅有关的文档问题此处.没有不是这样快速而肮脏的方式将
ASPNET_SessionID
值设置为空字符串并因此重定向重新生成该值.
ASP.NET does not directly support functionality to regenerate a session ID. See the documentation regarding the issue here. There is a not-so quick and dirty way to do it by setting the
ASPNET_SessionID
value to the empty string and redirecting so that the value is regenerated.
这篇关于登录asp.net后如何更改会话ID的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!