asp.net窗体身份验证票篡改,但仍然有效 [英] asp.net forms authentication ticket tampered but still works
问题描述
我产生了一些用户数据,加密一个窗体身份验证票,全部采用标准的.NET API发送到我的客户。一切工作,除了一个小问题。如果我在身份验证票证与G和Z(大写)之间的字母代替0,它仍然有效 - 它解密很好,我得到了权威性票我所有的用户数据和一切。这是不应该发生的吗?即使在身份验证票的微小变化应使解密不行吧?任何其他的变化将确保票不能解密,并会抛出异常。
I generate a forms auth ticket with some user data, encrypt and send it to my client all using the standard .net Api. Everything works except for one small problem. If i replace the 0 in the auth ticket with an alphabet between G and Z (caps), it still works - it decrypts fine and i get all my userdata and everything from the auth ticket. This is not supposed to happen right? Even a small change in the auth ticket should make the decryption not work right? Any other change would ensure that the ticket doesn't decrypt and will throw exception.
推荐答案
我猜票序列化为十六进制字符,如果读取字符的重新presents有效的十六进制字符(0 - 9,A - F )它相应转换并把它添加到解密流时,如果发现任何其他将其转换为0
I guess the ticket is serialized as hex characters, if it reads a char that represents a valid hex char (0 - 9, A - F) it converts accordingly and add it to the decryption stream, if it finds anything else it converts to 0.
我并不是说现在这个它的实际工作...
I'm not claiming that this now it actually works...
这篇关于asp.net窗体身份验证票篡改,但仍然有效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!