一些黑客可以窃取从用户和登录上一个网站，名称的Cookie？ [英] Can some hacker steal the cookie from a user and login with that name on a web site?

问题描述

阅读这个问题。

<一个href=\"http://stackoverflow.com/questions/2448720/different-users-get-the-same-cookie-value-in-aspxanonymous\">different用户可以获取aspxanonymous 同一cookie值

和寻找解决办法，我开始思考，如果有可能有人真的偷了一些方式的cookie，然后将其放置在自己的浏览器，并登录可以说，作为管理员即可。

你知道形式的认证如何确保即使cookie被使用它stoled，黑客不是实际登录？

或者你知道的任何其他自动防御机制？

感谢您先进的。

解决方案

  

是否有可能窃取cookie并
  作为管理员进行身份验证？

是的，它是可能的，如果窗体身份验证cookie的未加密，别人可以砍他们的饼干给他们提升的权限，或者如果SSL是不需要，别人复制另一个人的cookie。不过，也有你可以采取措施来降低这些风险：

在对System.Web /认证/形式元素：

1. requireSSL =真。这就要求饼干只通​​过SSL进行传输


2. slidingExpiration = FALSE。如果为true，过期的门票可以被重新激活。


3. 无cookie = FALSE。不要在你试图执行安全的环境中使用Cookie会话。


4. enableCrossAp predirects = FALSE。当假的，跨应用的cookie处理是不允许的。


5. 保护=所有。加密和哈希使用在machine.config或web.config中指定的机器键窗体身份验证cookie中。此功能会从黑客​​自己的cookie阻止别人因为此设置指示系统生成的cookie并在每个认证请求的签名，与通过cookie的比较签名。

如果你这样想，你可以通过把某种在会话认证信息，如用户的用户名的哈希值（千万不要以纯文本还是他们的密码的用户名）增加了保护的一个小一点。这就要求攻击者窃取两个会话cookie和窗体身份验证cookie中。

Reading this question

different users get the same cookie value in aspxanonymous

and search for a solution, I start thinking, if it is possible for some one to really steal the cookie with some way, and then place it on his browser and login lets say as administrator.

Do you know how form authentication can ensure that even if the cookie is stoled, the hacker not actual login using it ?

Or do you know any other automatic defense mechanism ?

Thank you in advanced.

解决方案

Is it possible to steal a cookie and authenticate as an administrator?

Yes it is possible, if the Forms Auth cookie is not encrypted, someone could hack their cookie to give them elevated privileges or if SSL is not require, copy someone another person's cookie. However, there are steps you can take to mitigate these risks:

On the system.web/authentication/forms element:

1. requireSSL=true. This requires that the cookie only be transmitted over SSL
2. slidingExpiration=false. When true, an expired ticket can be reactivated.
3. cookieless=false. Do not use cookieless sessions in an environment where are you trying to enforce security.
4. enableCrossAppRedirects=false. When false, processing of cookies across apps is not allowed.
5. protection=all. Encrypts and hashes the Forms Auth cookie using the machine key specified in the machine.config or web.config. This feature would stop someone from hacking their own cookie as this setting tells the system to generate a signature of the cookie and on each authentication request, compare the signature with the passed cookie.

If you so wanted, you could add a small bit of protection by putting some sort of authentication information in Session such as a hash of the user's username (Never the username in plain text nor their password). This would require the attacker to steal both the Session cookie and the Forms Auth cookie.

这篇关于一些黑客可以窃取从用户和登录上一个网站，名称的Cookie？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！