是窗体身份验证作为南希文档容易受到会话劫持描述？ [英] Is Forms Authentication as described in the Nancy docs susceptible to session hijacking?

问题描述

我看了南希表单验证。至于我可以告诉大家，这个方法推荐在那里会导致终身会话ID：

I read the documentation of Nancy Forms Authentication. As far as I can tell, the approach recommended there leads to lifelong session IDs:

的标识符是一个将被放置在认证令牌
  饼干将用于重新建立用户的身份
  正在执行的请求，这样就不需要输入
  凭据为每一个请求。

"The identifier is the token that will be put in the authentication cookie which will be used to re-establish the identity of the user that is performing the request, so that you do not need to enter your credentials for each request."

据我理解，认为标识符是大多数人所说的会话ID。

As far as I understand, that "identifier" is what most people call a session ID.

同样重要的是要知道标识符应被视为
  永久的，它是为生成的，并会被重用用户
  跨请求和应用程序会话。

It is also important to know that the identifier should be treated as permanent for the user that it was generated for and will be reused across requests and application sessions.

这是真的建议的方法？如果我理解正确的话，这意味着会话ID永远不会改变，永不过期。因此，会话ID是一个密码，这

Is this really the recommended approach? If I understand correctly, this means that session IDs never change and never expire. So the session ID is the equivalent of a password, which

• 的重发在cookie中的每个请求


• 很可能存储在明文在数据库中，如果你按照文档到结束

我知道，我的可能的不同与南希实现这一点，但我的观点是，这种做法不应该在文档作为参考来解释。

I know that I could implement this differently with Nancy, but my point is that such an approach should not be explained in the docs as reference.

因此​​，如果攻击者窃取了会话ID，例如曾经成功通过XSS攻击，他获得了对系统终身访问。

So if an attacker ever succeeds in stealing that session ID, e.g. by an XSS attack, he gains lifelong access to the system.

请指正，并显示在我的想法中的错误！

Please correct me and show me the mistake in my thoughts!

推荐答案

你指的标识符不是一个会话ID，它是一个未predictable用户标识，然后将其映射（如果必要的话）在后端真实用户标识符。这是如此，如果有人登录用户为X，并以某种方式设法解密，重新加密，并重新签订的cookie，他们不能随便更改用户ID为admin或类似的东西，并获得管理员权限（这是怎么在ASP.Net甲骨文攻击的了）。它也仅Http，所以无法通过XSS真正捕捉的，虽然在技术上它可以使用XST被捕获。

The identifier you are referring to isn't a session id, it's an unpredictable user identifier, which is then mapped (if necessary) to the real user identifier in the back end. This is so if someone logs in as user X, and somehow manages to decrypt, re-encrypt and re-sign the cookie they can't just change the user ID to "admin" or something similar and gain admin access (which is how the ASP.Net Oracle attack worked). It's also HttpOnly, so not really capturable via XSS, although technically it could be captured using XST.

创建和到期会话（和删除AUTH的cookie如果需要的话）是不同的任务完全 - 如何以及何时确定一个AUTH的cookie应该被接受，删除或证实额外的密码请求是特定应用。这是一个常见的​​模式现在在哪里网站会考虑你的登录永远，直到你做的东西安全，在这种情况下，它会问你要重新验证，如果你还没有这样做最近。

Creating and expiring a session (and deleting the auth cookie if necessary) is a different task altogether - how and when you determine if an auth cookie should be accepted, removed, or confirmed with an additional password request is application specific. This is a common pattern now where a site will consider you "logged in" eternally, until you do something "secure", in which case it will ask you to revalidate if you haven't done so recently.

希望是有道理的。

这篇关于是窗体身份验证作为南希文档容易受到会话劫持描述？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！