窗体身份验证 - Cookie的重放攻击 - 保护 [英] Form Authentication - Cookie replay attack - protection
问题描述
我被问的cookie重播攻击我的ASP.NET网站Forms身份验证。
I am being asked about cookie replay attacks with my ASP.NET websites forms authentication.
我按照下面的建议,以防止任何攻击,但认为如果有人设法在cookie来获得(尽管只是很短的时间),该网站仍然是脆弱的。有没有办法彻底摧毁注销窗体身份验证会话,这样即使有人偷饼干就没有恶意使用它的机会。
I have followed the advice below to protect against any attack but think that the site is still vulnerable if somebody manages to get at the cookie (albeit only for a short time). Is there a way to completely destroy the forms authentication session on logout so that even if someone had stolen the cookie there would be no chance of using it maliciously
建议随之而来的是
我们相信,我们已经采取了我们都可以负责任的措施来防止这种ASP.NET的范围内。请参考下面详细的回应。
We believe we have taken all responsible steps we can to protect against this within the confines of ASP.NET. Please see detailed response below.
不过,我们已经实现了从微软推荐的步骤来抵御这种(见的 http://support.microsoft.com/default.aspx?scid=kb;en-us;900111 )
However we have implemented the recommended steps from Microsoft to defend against this (see http://support.microsoft.com/default.aspx?scid=kb;en-us;900111)
·身份验证Cookie不会被写入到客户机则很难对其进行窃取。
· The authentication cookie is never written to a client machine making it hard to steal.
·运行应用程序,能够通过SSL这样一个cookie是从未发行过一个非安全连接
· The application is run-able via SSL so a cookie is never issued over a non secure connection
·我们实施绝对过期用15分钟的超时这意味着任何问题,Cookie是无用之后时限
· We enforce absolute expiration with a 15 minute timeout meaning that any issues cookie is useless after that time limit
·我们使用的HttpOnly饼干,这样没有人能亲语法截取或改变这个cookie。
· We use httpOnly cookies so that no-one can pro grammatically intercept or alter this cookie.
所以,即使上述precautions被打破,我们认为非常不可能,恶意用户将只在15分钟的窗口突破precautions并成功登录
So even if the above precautions were broken, which we think highly unlikely, a malicious user would only have 15 minute window to break the precautions and successfully log in
推荐答案
一个简单的想法是生成一个随机的GUID并将其存储在cookie中的用户数据部分。然后,当用户注销时,您检索用户数据GUID和它在这个会议结束注释服务器端资料库写入。
A simple idea is to generate a random guid and store it in the user data section of the cookie. Then, when a user logs out, you retrieve the guid from the user data and write it in a server side repository with an annotation that this "session" has ended.
然后,让每时请求是否没有从您的cookie的用户数据部分中的GUID不指向一个端会话,检查HTTP模块。如果是的话,终止到期的cookie被重用的警告要求。
Then, have an http module that checks upon every request whether or not the guid from the userdata section of your cookie doesn't point to a ended session. If yes, terminate the request with a warning that expired cookie is reused.
这带有每个请求的额外查询的成本。
This comes with a cost of an additional lookup per request.
这篇关于窗体身份验证 - Cookie的重放攻击 - 保护的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
