使用会话状态不安全的方法来创建在asp.net中用户登录和角色 [英] Is using session state an unsafe way to create user logins and role in asp.net

问题描述

考虑这样的ID和密码的列表被存储在数据库服务器上的设置和当用户输入他的登录凭证则$ C $的c-后面进行验证对服务器和设置像会话[ID值]会话[登录]来确定用户是否有权访问某些网页。

Consider the setup where a list of ids and passwords are stored in a database on a server and when a user enters his login credentials then the code-behind verifies it against the server and sets values like Session["id"] Session["login"] to determine whether user has access to certain page.

当用户试图浏览到一个页面，该页面着眼于会话变量，然后重新定位如果需要的用户，并相应地调整其网页上的按钮。

When a user attempts to browse to a page, the page looks at session variables and then relocates the user if need be and adjusts the buttons on its page accordingly.

安全性如何这个设置。

的asp.net似乎过于死板，所以我试图寻求其他选项的登录名和角色的功能构建的。

The built in login and role functionality of asp.net seems too rigid so I was trying to explore other options.

推荐答案

在使用Session的主要缺陷是，它可以在你的网站上开辟一个的会话固定漏洞。当用户来到您的网站在建立会话，它可能会为被发现会话ID（通过的 MITM ）。

The major flaw in using Session is that it could open up your site to a Session Fixation vulnerability. As the session is established when the user arrives on your site, it may be possible for the session ID to be discovered (e.g. by a MITM).

例步骤是如下这个漏洞：

Example steps are as follows for this exploit:

1. 用户到达HTTP站点，ASP.NET给了他们一个会话，并发送会话cookie对用户。


2. 攻击者读取会话cookie的值。


3. 用户去登录表单（HTTPS），在你的标识登录和登录值存储在会话。


4. 攻击者设置自己的会话cookie是从第2步截获的价值。


5. 攻击者现在有一个有效的登录会话劫持，现在登录的用户。

1. User arrives on HTTP site, ASP.NET gives them a session and sends the session cookie to user.
2. Attacker reads the session cookie value.
3. User goes to login form (HTTPS), logs in and your id and login values are stored in the session.
4. The attacker sets their session cookie to be the intercepted value from step 2.
5. The attacker now has a valid, logged in session, hijacking the now logged in user.

仅仅出于这个原因，我建议使用内置的登录名和角色的功能在auth cookie不会设置，直到验证会话建立。如果你坚持会话的方法，我建议你打电话 Session.Abandon（）来授予用户在登录一个新的会话，让他们的会话是不一样的他们的previous，未经身份验证的会话。

For this reason alone, I would recommend using the built in login and role functionality as the auth cookie is not set until the authenticated session is established. If you insist on the session method, I would recommend you call Session.Abandon() to grant the user a new session upon login, so that their session is not the same as their previous, unauthenticated session.

请参见我的回答这个问题： http://stackoverflow.com/a/18077422/413180

Please also see my answer to this question: http://stackoverflow.com/a/18077422/413180

这篇关于使用会话状态不安全的方法来创建在asp.net中用户登录和角色的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！