保护基于Cookie的身份验证 [英] Securing Cookie Based Authentication
问题描述
我目前正在重新考虑我的一个网络应用程序,我希望有一些建议,以提高我的安全。
I am currently re factoring one of my web applications and I was hoping for some advice on improving my security.
我会注意到,应用程序是在ASP .net和当前实现阻止我使用集成身份验证。这也不是一个需要高安全性的应用程序,我只是想覆盖我的基地。
I'll note that the application is in ASP.net and the current implementation prevents me from using integrated authentication. This is also in no way an application that requires high security, I just like having my bases covered.
在过去,我已经存储了id和令牌。
令牌是用户ID +用户的Salt(重用auth信息中的值)的哈希值
当用户访问站点时,将根据令牌检查ID,并相应地进行设置。
In the past I've stored the id and a token . The token is a hash of the user's ID + the user's Salt (reusing the value from the auth info) When a user visits the site the ID is checked against the token and authed accordingly.
我发现这里有一个大洞。
理论上,如果有人得到一个盐值,他们所需要做的就是猜测哈希算法,并迭代可能的ID,直到他们进来。我不期望这种情况发生,但它仍然似乎
It occurs to me that there is a big hole here. Theoretically if someone got their hands on a salt value all they'd need to do is guess the hash algorithm and iterate through the possible IDs until they got in. I don't expect this to happen, but it still seems like a mistake.
有关如何正确确认用户Cookie未被更改的任何建议?
Any advice on how to properly confirm that user cookies haven't been altered?
推荐答案
大多数网站的做法是验证使用,如果成功,他们向浏览器发送一个cookie以存储并在任何后续请求中发送。如果攻击者能够获得令牌(在它过期之前),他们将能够模拟用户。
The way most web sites do it is to authenticate the use and if successful they send the browser a cookie to store and send in any subsequent requests. If an attacker were able to get hold of the token (before it expired) they will be able to impersonate the user.
因此,Cookie和身份验证过程应始终通过https会话执行。攻击者必须获取cookie的唯一一种方式是在最终用户的计算机上拦截它,如果他们能够这样做,他们可以安装一个关键笔划记录器,并获取用户的密码。
Because of this the cookie and authentication process should always be carried out over a https session. The only realsitic way an attacker has to get hold of the cookie then is to intercept it on the end user's computer and if they are able to do that they can probably install a key stroke logger and get the user's password anyway.
至于使用什么样的令牌,只要它是伪随机的,使得攻击者猜测它的计算量很大就没有关系。我自己使用GUID。如果你需要Cookie中的额外信息,除了sessionid,你可以附加一个GUID到它,然后可能哈希或加密它只是一个腰带和大括号的方法。
As to what kind of token to use it doesn't matter so long as it's pseudo-random enough to make it computationally expensive for an attacker to guess. I myself use GUIDs. if you need extra information in the cookie apart from just a sessionid you could append a GUID to it and then probably hash or encrypt it just for a belt and braces approach.
这篇关于保护基于Cookie的身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
