通过HTTPS在ASP.NET安全会话cookie [英] Secure session cookies in ASP.NET over HTTPS
问题描述
我阅读本/后有点好奇。文章超过劫持HTTPS饼干。我跟踪下来了一点,和一个很好的资源我偶然发现列出了一些方法,以确保饼干<一个href=\"http://casabasecurity.com/content/using-aspnet-session-handling-secure-sites-set-secure-flag\">here.我必须使用ADSUTIL,还是会除了所有其他设置在web.config中盖会话cookie的httpCookies部分requireSSL(的此处覆盖)?还有什么我应该考虑到进一步强化会议?
I got a little curious after reading this /. article over hijacking HTTPS cookies. I tracked it down a bit, and a good resource I stumbled across lists a few ways to secure cookies here. Must I use adsutil, or will setting requireSSL in the httpCookies section of web.config cover session cookies in addition to all others (covered here)? Is there anything else I should be considering to harden sessions further?
推荐答案
https://www.isecpartners.com/media/12009/web-session-management.pdf
一个19页的白皮书上的安全与饼干会话管理的Web应用程序
A 19 page white paper on "Secure Session Management with Cookies for Web Applications"
它们涵盖了很多,我还没有见过所有的在一个地方的安全问题。这是值得一读。
They cover lots of security issues that I haven't seen all in one spot before. It's worth a read.
这篇关于通过HTTPS在ASP.NET安全会话cookie的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
