防止一个以上的客户端重播/使用cookie [英] Preventing cookie replay / cookie use by more than one client

问题描述

在ASP.NET MVC中，一次阻止多个客户端同时使用有效cookie的最佳实践"是什么?

What is the "best practice" to prevent a valid cookie from being used by more than one client at a time in ASP.NET MVC?

在这种情况下，我们将使用所有OWASP技巧.

In this scenario, we are using all the OWASP tricks.

• 严格的HSTS:每页上使用HTTPS/SSL
• 将Cookie列为仅HTTPS
• 将饼干标记为安全
• cookie的有效期限短
• 还有一些代码可以防止跨站点请求伪造(XSRF)在页面之间更改值.

这非常好，可以防止用户更改值，但这并不能防止不良行为者盗窃整个cookie并在仍然有效的其他地方重用strong>("Cookie重播"或会话固定"，具体取决于您问的是谁).据我所知，没有标准的.NET配置或样板可以阻止这种情况.

That's all great and prevents users from changing values, but it doesn't prevent a bad actor from stealing the entire cookie and re-using it elsewhere while it is still valid ("cookie replay," or "session fixation," depending on who you ask). As far as I can tell, there is no standard .NET configuration or boilerplate to prevent this.

例如，用户A登录并且他们的身份验证cookie在 t 分钟内有效.该用户PC上的恶意软件会忽略cookie上的仅HTTP/安全设置，并能够检索实际存储的cookie，并将其发送给我们的恶意角色.然后，不良行为者可以使用Cookie编辑工具将其添加到他们的浏览器中，并以用户A的身份连接到该站点，直到Cookie过期或用户A退出(使会话无效)为止.

For example, User A logs in and their auth cookie is good for t minutes. Malware on that user's PC ignores the HTTP-only/secure setting on the cookie and is able to retrieve the actual stored cookie, sending it to our bad actor. The bad actor is then able use a cookie-editing tool to add it to their browser and connect to the site as User A, until the cookie expires or User A signs out (invalidating the session).

理想情况下，如果发现两个客户端同时使用了cookie，是否可以配置.NET以使会话无效?

Ideally, can .NET be configured so that a session is invalidated if the cookie is found to be in use from two clients at the same time?

相似的项目已审核:

哦，S.O.社区，我们知道您有多喜欢重复项".

Oh, S.O. community, we know how much you love "duplicates."

• Asp.net-使用SSL阻止Cookie重播攻击:SSL不会阻止cookie重播，而只能阻止传输中的篡改.
• 防止在ASP.NET中重复使用身份验证Cookie:特定于用户注销后使用cookie；在这里，坏角色可以访问该用户.
• 没有ASP.NET Cookie重播修复程序在服务器中存储身份验证令牌?:专门请求不在服务器上存储令牌，我不排除将其作为答案

• Asp.net - Using SSL to prevent cookie replay attack: SSL does not prevent cookie replay, only mid-transmission tampering.
• Prevent re-use of authentication cookie in ASP.NET: Specific to cookie use after user-logout; here, the user is still logged in while the bad actor has access.
• ASP.NET cookie replay fix without storing auth-token in server?: Specifically requests not storing tokens on the server, I won't rule that out as an answer

外部修复建议:

• 此页面建议在用户登录时在服务器端设置一个 bool 值.错误的-只会阻止不良行为者在目标用户注销后使用cookie.它并不能阻止不良演员与目标用户同时玩转.
• StackExchange上的此页面采用相同的方法，设置会话值.它也遇到同样的问题.
• 甚至特洛伊·亨特(Troy Hunt)经常引用的OWASP前10名常见的安全修补程序可帮助您保护Cookie，但没有演示防止同时使用有效Cookie的方法.

• This page suggests setting a bool value server-side when the user logs in. Wrong-- that would only prevent the bad actor from using the cookie after the intended user logs out. It does nothing to prevent the bad actor from poking around at the same time as the intended user.
• This page on StackExchange takes the same approach, setting a session value. It suffers the same problem.
• Even Troy Hunt's oft-cited OWASP top 10 common security fixes helps you secure cookies, but doesn't demonstrate a way to prevent simultaneous use of a valid cookie.

推荐答案

如果您的目标是

防止不良演员偷走整个Cookie并重新使用它仍然有效的其他地方

prevent a bad actor from stealing the entire cookie and re-using it elsewhere while it is still valid

那么答案是否定的.不可能.

then the answer is no. there is no way.

您从http请求中获得的信息量大致如下:

The amount of information you get from a http request are pretty much the following:

1. 用户的IP
2. 标题(cookie，用户代理等)
3. 请求正文
4. 目标IP(服务器的IP)
5. URL

由于手头上的信息量有限，实际上您无法区分使用相同Cookie +浏览器+ IP的两个用户.

With the limited amount of information on hand, there is really no way you can distinguish between two users using the same cookie + browser + IP.

这就像两个ppl使用同一台打印机打印相同的消息一样，您需要确定哪个消息是由谁打印的.

Its just as if two ppl printed the same message using the same printer and you are tasked to figure out which message was printed by whom.

您能做的最好的事情是，每当用户想要执行任何敏感操作时都要求输入密码，并为其分配一个一次性令牌.(不友好)

The best you could do is to ask for password every time the user wants to perform any sensitive action and assign a one time token for it. (not user friendly)

或者您可以通过仅在新IP与登录IP不匹配时才要求它来使其更加友好.(由于移动用户的IP一直在变化，因此对移动用户不友好)

Or you can make it a bit more friendly by making it required only if new IP does not match login IP. (not friendly to mobile user since their IP changes pretty much all the time)

这篇关于防止一个以上的客户端重播/使用cookie的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！