是窗体身份验证比ASP.NET_session存储用户身份更安全（会话劫持） [英] Is Forms Authentication more secure than storing user identity in ASP.NET_session (session hijacking)

问题描述

据我了解有关的方式会话劫持的作品我没有看到表单验证拥有存储在ASP.NET会话的用户认证信息的任何优势。这都是散列都表单认证和ASP.NET会话使用cookies来验证完整性但两者不能防止黑客窃取cookie，并伪装成用户。因此，没有任何理由就安全而言，使用窗体身份验证在存储ASP.NET会话认证信息？

From what I understand about the way session hijacking works I don't see any advantage that Forms Authentication has over storing user authentication info in the ASP.NET session. Both Forms Authentication and ASP.NET session use cookies that are both hashed to verify integrity but both can't protect against a hacker stealing the cookie and masquerading as the user. So is there any reason as far as security is concerned, for using Forms Authentication over storing authentication info in the ASP.NET session?

推荐答案

分歧夫妇：

如果您存储在会话状态认证信息和应用程序池回收，所有用户将立即注销。相比之下，窗体身份验证保存在窗体身份验证Cookie加密格式的必要信息，并会生存下来的应用程序池回收。

If you store authentication information in session state and the app pool recycles, all of your users are instantly logged out. In contrast, forms authentication holds the necessary information in encrypted format in the forms authentication cookie, and will survive app pool recycle.

会话ID是一个120位的随机数。唯一的保护是随机性。没有防篡改，事实上，直到他找到一个工作黑客可以连续查询您的网站随机会话ID。存在用于这种活动的无入侵检测机制，因为这是不可能从过期区分出篡改的会话ID。

Session IDs are a 120-bit random number. The only protection is the randomness. There is no tamperproofing and in fact a hacker could continuously poll your web site with random session IDs until he finds one that works. There is no intrusion detection mechanism for this sort of activity, because it is impossible to distinguish a tampered session ID from an expired one.

窗体身份验证票证（饼干）是完全不同的。它是由数据的长字符串，然后与您的128位机密钥加密的。如果有人用它篡改它根本不会解密。解密失败是一个可捕获的错误，可以在入侵检测机制入伍。票的整体基数高得多，更难蛮力。

The forms authentication ticket (cookie) is completely different. It is composed of a long string of data that is then encrypted with your 128-bit machine key. If anyone tampers with it it simply won't decrypt. The failure to decrypt is a trappable error and can be enlisted in intrusion detection mechanisms. The overall cardinality of the ticket is much higher and harder to brute force.

在所有我曾与最近，我们实际上同时使用窗体身份验证机制和工作ASP.NET_SessionId网站。我们也有，我们插入表单身份验证票证内部会话ID（ESB的会话标识符）。

On all the sites I have worked with recently, we actually use BOTH the forms authentication mechanism and the ASP.NET_SessionId. We also have an internal session ID (an ESB session identifier) that we insert into the forms authentication ticket.

这篇关于是窗体身份验证比ASP.NET_session存储用户身份更安全（会话劫持）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！