加密会话对象 [英] Encrypt a Session Object
问题描述
第一关:我工作的一个电子商务网站,将接受信用卡。为了从输入您的信息页面,得到了确认信息页面上,我需要的地方存储信用卡信息,可以在之前它最终被发送到支付网关进行检索。
我目前倾向于把它作为一个会话变量。话虽这么说,我的问题是:
- 是我在会话中存储此犯下一些知名安全失礼?
- 是一个会话对象全球性的?如果两个人在同一时间提交自己的信息,可能一个人的会议上得到返回的其他人的交易?
- 有没有在.NET中的常用方法加密/解密的会话对象提供额外的安全性?
从UI /工作流程的角度来看,实在是没有任何需要存储信用卡信息或确认。如果是错误的,它不会被批准。大多数电子商务网站申请信用卡号码的最后一步确认地址,电话等之后。
至于会话,会话是全局性的特定会话。它不被其他用户共享,并在一般情况下,不存在任何的方式来获得在其他会话中的数据。因此,没有必要,因为它是存储在服务器上对其加密。
如果您存储在ViewState中的敏感信息或传送过来的查询字符串,你肯定会需要进行加密。
First off: I'm working on an e-commerce site that will accept credit cards. In order to get from the "Enter your information" page to the "Confirm your information" page, I need to store the credit card information somewhere that it can be retrieved before it ultimately gets sent to the payment gateway.
I'm currently leaning towards storing it as a session variable. That being said, my question is:
- Am I committing some well-known security faux pas by storing this in the session?
- Is a session object global? If two people submit their information at the same time, could one person's session get returned for the other person's transaction?
- Is there a common way in .NET to encrypt/decrypt session objects for extra security?
From a ui/workflow standpoint, there really isn't any need to store the credit card information or confirm it. If it is wrong, it won't be approved. Most e-commerce sites request the credit card number as the last step after confirming address, phone etc.
As for session, session is global to the particular session. It is not shared by other users and in general, there isn't any way to get at the data in other sessions. As such, no need to encrypt it since it is stored on the server.
If you stored sensitive information in ViewState or passed it over the QueryString, you would definately need to encrypt it.
这篇关于加密会话对象的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
