形成了asp.net的身份验证cookie值漏洞 [英] Forms Authentication Cookie value vulnerability in asp.net

问题描述

在asp.net，我能够使用窗体身份验证像往常一样登录，复制我们的身份验证cookie值，注销，人为添加cookie使用编辑此cookie插件Chrome浏览器客户端，刷新（匿名）登陆页面哎preSTO我我再次登录。这似乎是一个漏洞 - ？有没有使用标准的窗体身份验证修复它的任何方式或我将不得不做一些像用它覆盖在asp.net mvc的现有一个自定义的授权属性。

In asp.net, I am able to login using forms authentication as usual, copy our auth cookie value, log out, add the cookie artificially to the client using the 'Edit This Cookie' addon for Chrome, refresh the (anonymous) landing page and hey presto i'm logged in again. This seems to be a vulnerability - is there any way of fixing it using the the standard forms auth or will I have to do something like use a custom Authorize attribute which overrides the existing one in asp.net mvc?

推荐答案

饼干总是vulerable，我们不能做太多有关。我们所能做的就是偷饼干prevent人。

Cookies are always vulerable and we can't do much about that. What we can do is prevent someone from stealing the cookies.

关于ASP.NET MVC它做了很好的工作，以避免偷饼干。一些它在默认情况下是安全的一部分，主要的事情是：

Regarding ASP.NET MVC it does a good job to avoid stealing cookies. Some of the main things it does by default as part of security are:

1. 恩code，它是由XSS攻击渲染到视图（如果您正在使用剃刀不知道其他人）prevent的字符串。

1. Encode the strings that are rendered to the view (if you are using Razor don't know about others) to prevent from XSS attacks.

请求验证（阻止潜在危险的数据永远到达
应用程序）。

Request validation (stop potentially dangerous data ever reaching the application).

preventing获取JSON数据访问。

Preventing GET access for JSON data.

preventing CSRF使用防伪助手

Preventing CSRF Using the Antiforgery Helpers

关于饼干Microsoft提供仅Http 功能，这有助于隐藏在JavaScript中的cookie。你正在谈论的窗体身份验证是一个仅Http 的cookie是指一个人不能偷，通过JavaScript和它更安全。

Regarding cookies Microsoft provides HttpOnly feature and this helps to hide the cookies from javascript. The Forms authentication that you are talking about is a HttpOnly cookie means someone can't steal that through JavaScript and it's more safe.

这篇关于形成了asp.net的身份验证cookie值漏洞的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！