会话劫持保护ASP.NET [英] Session Hijacking Protection in ASP.NET

问题描述

我想找出会话ID劫持保护内置到ASP.NET的最新版本。

I'd like to find out what session ID hijacking protection is built into the current version of ASP.NET.

我最近看到这个非常翔实的文章，说明如何会话安全可以通过实施增强附加层的连接codeS的IP地址和用户代理头到会话ID。然后，这些细节都证实在每个后续请求。

I recently saw this very informative article that explains how session security can be enhanced by implementing an additional layer that encodes the IP address and user agent header into the session id. These details are then verified on each subsequent request.

看来，这篇文章是为ASP.NET 1.1编写，所以我想知道，如果类似的事情现在已内置到ASP.NET。它仍然是任何好处，以实现这样的附加层？

It seems that this article was written for ASP.NET 1.1 so I'd like to know if anything similar is now built into ASP.NET. Is it still of any benefit to implement such an additional layer?

感谢。

推荐答案

从会话概述文件看看这个片断：

Check out this snippet from the Session Overview documentation:

System.Web.SessionState.HttpSessionState.SessionID值都以明文形式发送，无论是作为一个cookie或URL的一部分。恶意用户可能通过获得的SessionID值，它包括在请求到服务器可以访问其他用户的会话。如果要存储在会话状态的敏感信息，建议您使用SSL来加密浏览器和服务器，其中包括会话ID值之间的任何交流。

System.Web.SessionState.HttpSessionState.SessionID values are sent in clear text, whether as a cookie or as part of the URL. A malicious user could get access to the session of another user by obtaining the SessionID value and including it in requests to the server. If you are storing sensitive information in session state, it is recommended that you use SSL to encrypt any communication between the browser and server that includes the SessionID value.

<一个href=\"http://msdn.microsoft.com/en-us/library/ms178581.aspx\">http://msdn.microsoft.com/en-us/library/ms178581.aspx

在我看来，这意味着不存在安全烤成会话，所以你可能不应该使用Session作为一种安全措施。相反，我会建议依靠ASP.NET安全性（认证，授权）。

It seems to me that this means that there is no security baked into Session, so you probably shouldn't use Session as a security measure. Instead, I would recommend relying on ASP.NET security (authentication, authorization).

下面是从模式与放的物品;实践小组对ASP.NET常规安全建议。

Here is an article from the Patterns & Practices group on general security recommendations for ASP.NET.

<一个href=\"http://msdn.microsoft.com/en-us/library/ff649100.aspx\">http://msdn.microsoft.com/en-us/library/ff649100.aspx

这篇关于会话劫持保护ASP.NET的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！