最佳实践来实现安全"记住" [英] Best Practice to Implement Secure "Remember Me"
问题描述
有时候,我遇到一定的Web开发框架不提供认证功能,如身份验证ASP.NET。
Sometimes, I come across certain web development frameworks which don't provide an authentication feature, such as in Authentication ASP.NET.
我想知道保安措施需要什么时候实施记住我登录的功能,用手工编码需要考虑?
I was wondering what security measures need to be considered when implementing "Remember Me" login features, by hand coding?
下面是事情我通常做:
-
在存储cookie中的用户名。用户名是不加密的。
Store the user name in cookie. The user name is not encrypted.
存储在cookie中的密钥。秘密密钥是使用根据用户名单向函数生成的。该服务器将验证对用户名的密钥,以确保该用户名没有被改变。
Store a secret key in a cookie. The secret key is generated using one way function based on user name. The server will verify secret key against user name, to ensure this user name is not being changed.
使用的HttpOnly在cookie中。 <一href=\"http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html\">http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html
Use HttpOnly in cookie. http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html
还有什么我已经错过了,这有可能导致一个安全漏洞?
Anything else I have missed, which could possibly lead a security holes?
推荐答案
该Cookie应该永远是过期的随机值。有些情况下,你可以存储状态cookie的值,它不是一个secuirty危害,如用户preferred语言,但这应避免尽可能。谈到HttpOnlyCookies上,是一个伟大的想法。
The cookie should always be a random value that expire. There are cases where you can store state as a cookie value and it not be a secuirty hazard, such as the users preferred language, but this should be avoided as much as possible. Turning HttpOnlyCookies on, is a great idea.
阅读A3:在 OWASP十大2010年破认证和会话管理。在本节的一个重要的一点是,HTTPS的必须用于的整个会话的。如果会话持续很长的时间,那么这是更重要的。
Read A3: "Broken Authentication and Session Management" in the OWASP top 10 for 2010. One important point in this section is that https must be used for the entire session. If the session is lasting for a very long time, then this is even more important.
另外请记住,记住我创建一个巨大的窗口,在其中的会话攻击者可以顺风车。这给攻击者一个很长的时间(月?)他可以提供一个CSRF攻击。即使你有CSRF保护,攻击者仍然可以骑与XSS和XmlHtt prequest一个会话(HttpOnlyCookies将prevent一个完整的劫持)。 记住我使得像XSS,跨站请求伪造其他威胁,嗅探更加严重。只要这些漏洞已经得到解决,那么你不应该有真实世界的黑客问题。
Also keep in mind that "Remember Me" creates a large window in which an attacker can "ride" on the session. This gives an attacker a very long time (Months?) in which he can deliver a CSRF attack. Even if you have CSRF protection an attacker can still ride on a session with XSS and XmlHttpRequest (HttpOnlyCookies will prevent a full hijack). "Remember Me" makes other threats like xss, csrf, sniffing more serious. As long as these vulnerabilities have been addressed, then you shouldn't have a problem with real world hackers.
最简单的(和安全)的方式来实现一个记住我功能将修改会话超时你的web.config文件:
The easiest (and secure) approach to implement a "remember me" feature would be to modify the session timeout your web.config file:
<configuration>
<system.web>
<sessionState timeout="60"/>
</sessionState>
</system.web>
</configuration>
硒超时的东西高,也许一个月左右。如果记住我复选框的勾选,那么存储一个比较正常的超时时间(如24小时)的会话变量。检查这个会话变量在每个请求的头文件。如果复选框被选中,然后正常的行为,让asp.net照顾它。
Se the timeout to something high, maybe a month or so. If the "Remember Me" checkbox is unchecked then store a session variable of a more normal timeout (like 24 hours). Check this session variable in a header file for each request. If the checkbox is checked, then act normally and let asp.net take care of it.
如果该会话不那么过期这将是蛮力容易得多。这些值都很大,但允许黑客花费数年试图猜测一个会话ID是一个漏洞。
If the session doesn't expire then it will be much easier to brute force. These values are large, but allowing a hacker to spend years trying to guess a session id is a vulnerability.
这篇关于最佳实践来实现安全&QUOT;记住&QUOT;的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
