ASP.NET MVC 4和会话安全漏洞 [英] ASP.NET MVC 4 and session security leak

问题描述

而不是使用ASP.NET MVC用户的系统，我只是使用会话，如下面的：

当他登录（用户名+密码），我从数据库中读取相应的用户，并设置：

 会话[用户ID] = fetchedUser.UserId;
 

然后，我总是检查，如果他登录：

 如果（会话[用户ID] = NULL＆放大器;！＆安培; ...）
 

问题是，如果有人复制ASP.NET_SessionId从价值登录的用户（如：用户去浴室和同事谁是下一个sitten他检查他饼干铬检查的） ，那么他就可以在他的计算机上创建一个cookie，并作为该用户。

我的问题是：

1. 如果会话ID保存在cookie中为什么会比cookie更安全？


2. 我可以让这个更安全（和继续使用的会话）？


3. 如何在内部做ASP.NET用户authetication系统呢？

解决方案

不使用会话作为身份验证机制，一个主要的原因是，它可以使你的应用程序容易受到的会话固定。例如，一个问题可能是，如果用户使用HTTP协议来到您的网站并接收存储在 ASP.NET_SessionId 的Cookie的会话ID。用户可以以后登录，即使您的登录页面可能在HTTPS固定会话令牌已根据HTTP，这意味着它已经被使用明文传输产生的。

要回答你的另一点：

  

为什么会比cookie更安全，如果会话ID保存在一个
  饼干吗？

存储在会话中的数据存储服务器侧，所以它是比较困难的，攻击者对与此数据篡改。所有的Cookie的商店是这种数据，而非数据本身的令牌。话虽如此，它仍然是更安全的使用 FormsAuthenticationProvider 因为一旦登录完成，而不是避免会话固定的原因会话开始如上这将创建一个新的身份验证令牌

  

我可以让这个更安全（和继续使用的会话）？如何
  内部ASP.NET用户authetication系统呢？

在提供内置已经符合目标，所以这将是可取的使用，而不是忽悠另一种机制，以满足您的要求。它也易于扩展，因此您可以定制，以您的需求。 ASP.NET用户身份验证创建cookie中的加密票证并将其存储而不是存储在服务器端变量的引用：的 http://support.microsoft.com/kb/910443

我也想提请你注意signout机制以及如何保护它。特别

  

调用SignOut方法只移除窗体身份验证cookie。 Web服务器没有存储有效，过期身份验证票证供以后比较。这使你的网站容易，如果恶意用户获得一个有效的窗体身份验证cookie重放攻击。

在这里详细信息：的http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.signout.aspx

此外，您可能要设置的安全标志在<一个href=\"http://stackoverflow.com/questions/1442863/how-can-i-set-the-secure-flag-on-an-asp-net-session-cookie\">ASP AUTH的cookie 以prevent它被泄露通过HTTP一个MITM攻击。

Instead of using ASP.NET MVC User's system, I'm simply using session, as the following:

When he logs in (username + password), I fetch the corresponding user from the Database and set:

Session["UserId"] = fetchedUser.UserId;

Then, I'm always checking if he is logged in:

if (Session["UserId"] != null && ...)

The problem is that if someone copies the value of ASP.NET_SessionId from a logged in user (eg: user goes to bathroom and coworker who is sitten next to him checks his cookies with chrome inspector), then he will be able to create a cookie in his computer and act as that user.

My questions are:

1. Why are sessions safer than cookies if the session id is saved in a cookie?
2. Can I make this safer (and continue using session)?
3. How does internally ASP.NET User authetication system do it?

解决方案

A primary reason for not using Session as an authentication mechanism is that it could render your application vulnerable to Session Fixation. For example, a problem could be if a user arrived on your site using the HTTP protocol and receives a session ID that is stored in the ASP.NET_SessionId cookie. The user may later log in, and even though your login pages might be secured under HTTPS the session token has already been generated under HTTP which means it has already been transported using cleartext.

To answer your other points:

Why are sessions safer than cookies if the session id is saved in a cookie?

The data stored in session is stored server side, so it is more difficult for an attacker to tamper with this data. All the cookie stores is a token for this data, rather than the data itself. Having said that, it is still safer to use the FormsAuthenticationProvider as this creates a new authentication token once login is complete rather than on session start for the reasons of avoiding session fixation as above.

Can I make this safer (and continue using session)? How does internally ASP.NET User authetication system do it?

The built in provider is already fit for purpose, so it would be desirable to use that rather than fudge another mechanism to meet your requirements. It is also easily extensible so you can customise it to your needs. The ASP.NET User Authentication creates an encrypted ticket and stores it in the cookie rather than storing a reference to a server side variable: http://support.microsoft.com/kb/910443

I would also draw your attention to the signout mechanism and how to secure it. Particularly

Calling the SignOut method only removes the forms authentication cookie. The Web server does not store valid and expired authentication tickets for later comparison. This makes your site vulnerable to a replay attack if a malicious user obtains a valid forms authentication cookie.

Details here: http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.signout.aspx

In addition you may want to set the "secure" flag on your ASP auth cookie to prevent it being leaked over HTTP by a MITM attacker.

这篇关于ASP.NET MVC 4和会话安全漏洞的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！