在Asp.NET黑客会话变量 [英] Hacking session variables in Asp.NET

问题描述

是否可以破解别人的会话变量，并创建一个新的影子用户？

Is it possible to hack someone's session variables and create a new shadow user?

什么是避免这种surprizes的常用方法？

What are the common ways of avoiding such surprizes?

SSL证书安装或....？

SSL certificate installation or ....?

推荐答案

简短的回答...这要看情况。

Short answer... it depends.

在ASP.NET会话可以存储在各种方式（是InProc / SQL服务器/状态服务器）等...还有一点要注意的是客户端会话如何维护（查询字符串值，饼干等... ）

Session in ASP.NET can be stored in a variety of ways (InProc / SQL Server / State Server) etc... another thing to note is how the client session is maintained (query string value, cookies etc...)

作为这个答案的海报表明

As the poster in this answer suggests

<一个href=\"http://stackoverflow.com/questions/477649/can-we-hack-a-site-that-just-stores-the-username-as-a-session-variable/477660#477660\">http://stackoverflow.com/questions/477649/can-we-hack-a-site-that-just-stores-the-username-as-a-session-variable/477660#477660

一件事，当你验证用户和存储在会话他们的名字，你可以做将还可以存储一些关于他们的其他信息。例如他们UserAgentString，他们的IP地址，如果不同的IP或UserAgentString试图与会话交互，可以作废了。

One thing you could do when you authenticate the user and store their name in Session, would be to also store some other information about them. e.g. Their UserAgentString, their IP Address and if a different IP or UserAgentString attempted to interact with the session, you could invalidate it.

这篇关于在Asp.NET黑客会话变量的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！