asp.net 中 User.Identity 中的 Ticket.UserData 有多安全

发布于 2024-07-13 10:51:21 字数 630 浏览 6 评论 0原文

我的网站使用 ASP.NET 的表单身份验证，并且我将用户特定信息插入身份验证票证/cookie 的 UserData 部分。由于 UserData 位于身份验证票证内部，因此它是加密的。

authCookie.Value = FormsAuthentication.Encrypt(newTicket);

现在我不太担心数据在这一点上受到损害，因为它是加密的。但我注意到数据以未加密的形式提供，就像这样

FormsIdentity fid = User.Identity as FormsIdentity;
string plainTextUserData = fid.Ticket.UserData;

数据本身并不太重要。即使其他人能看到我也没关系。但我不能允许人们劫持这些信息并开始将其用作自己的信息。例如，我不希望一个用户假装是其他用户登录（基于 UserData 中包含的 userID

这是我必须担心的事情吗？

编辑 1：

我想这样做的原因是我可以停止使用会话，只使用 cookie 和 Ticket.UserData

编辑 2：

一旦用户登录，Ticket.UserData 中的数据就不会改变。

原文

My website uses ASP.NET's forms authentication and i am inserting user specific information into the UserData portion of the authentication ticket/cookie. Since the UserData is inside the authentication ticket it is encrypted like so

authCookie.Value = FormsAuthentication.Encrypt(newTicket);

Now I am not too worried about the data being compromised at this point since it's encrypted. but i noticed that the data is available in unencrypted form like this

FormsIdentity fid = User.Identity as FormsIdentity;
string plainTextUserData = fid.Ticket.UserData;

The data itself is not too important. i am still ok even if other people can see it. but i cannot allow people to hijack this information and start using it as their own. for example, i don't want one user to be logged in pretending to be a different user (based on the userID contained in UserData

Is this something I have to worry about?

Edit 1:

The reason i want to do this is so i can stop using sessions and just use cookies and Ticket.UserData

Edit 2:

The data in Ticket.UserData is not changing. it's constant once the user is logged in.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

冷…雨湿花 2024-07-20 10:51:21

我需要某些页面上的更多数据
取决于用户的行为。正确的
现在我正在使用会话，但现在我想要
将所有内容移至 cookies 中。
这不是很多数据，所以我想我
可以将所有东西搭载到
授权票/cookie

@jorsh1 根据您对 @Portman 的推荐，Ticket.UserData 不是存储更改数据的地方。当从一个页面转到另一页面时，您不希望一直重新创建身份验证票证。

将会话数据与会话服务或Sql Server结合使用。如果您不希望会话中的数据，并且数据很小且不敏感，则可以使用 cookie。 (*)

MS 的 UserData 规范示例是存储诸如角色列表之类的内容，以便您可以说“我认为这个用户是管理员吗”之类的内容，但如果它是类似管理员角色的内容，您可能会点击在您隐式信任 cookie 中的内容之前，请先检查数据库。

字符串 plainTextUserData = fid.Ticket.UserData;

这仅在您的应用程序中起作用，因为 Asp.Net 已经为您解密了票证。但是，如果您想设置数据 IIRC，您需要重新创建并重新附加表单身份验证 cookie。

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
    currentTicket.Version + 1,
    currentUser.UserName,
    now,
    now.Add(formsAuthentication.Timeout),
    false,
    "new user data string",
    FormsAuthentication.FormsCookiePath);

string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(
    FormsAuthentication.FormsCookieName,
    hash);

Response.Cookies.Add(cookie);

另一个应用程序无法解码此票据，除非它知道解密密钥或者它是暴力破解的。如果您对应用程序进行负载平衡或使用网络花园，您甚至需要保持密钥同步。

* 我不支持在会话中存储内容。通常还有另一种方法来保存该数据。

[编辑] 我使用会话的目的：

我经常发现自己做的唯一一件事就是在基于会话服务器的会话中存储用户关键数据的精简版本。然而，我们使其透明加载，并确保不重复票证中的内容。

这样我们就不会暴露 cookie 中的任何敏感内容，并且我们不依赖会话。我们还设置了积极的会话回收。结合会话中存储的少量数据，会话不会给我们带来问题，并且由于只有一段代码知道会话中的内容，因此我们可以轻松重构它。

对于其他任何事情，会话都是邪恶的。我更喜欢在需要它的页面中维护视图状态，或者只是将临时状态保留在数据库中。

i need more data on certain pages
depending on what the user does. right
now i am using sessions but now i want
to move everything over into cookies.
it's not a lot of data so i figured i
could piggyback everything into the
auth ticket/cookie

@jorsh1 based on your commend to @Portman, Ticket.UserData isn't the place to store changing data. You don't want to recreate the authentication ticket all the time when going from one page to another.

Either use Session data with the Session Service or Sql Server. If you don't want the data in session, and the data is small and not sensitive then use a cookie. (*)

The MS canonical example with UserData is to store things like a list of Roles so that you can say things like "Do I think this user is an admin" but if it's something like an admin role, you'd probably hit the database to check before you implicitly trust what's in the cookie.

string plainTextUserData = fid.Ticket.UserData;

This does work inside your app only because Asp.Net has already decrypted the ticket for you. However, if you want to set the data IIRC you need to recreate and reattach the forms authentication cookie.

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
    currentTicket.Version + 1,
    currentUser.UserName,
    now,
    now.Add(formsAuthentication.Timeout),
    false,
    "new user data string",
    FormsAuthentication.FormsCookiePath);

string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(
    FormsAuthentication.FormsCookieName,
    hash);

Response.Cookies.Add(cookie);

Another App can't decode this ticket unless it knows the decryption key or it was brute-forced. If you load-balance the App or use web gardens, you even need to keep the keys in sync.

* I'm not a proponent of storing things in session. Usually there's another way to persist that data.

[edit] What I use session for:

The only thing I often find myself doing is storing a lite version of the users critical data in the session-server based session. We however make it transparently-loaded, and make sure not to duplicate what's in the Ticket.

That way we don't expose anything sensitive in cookies, and we don't rely on session. We also set aggressive session reclamation. Combined with the small amount of data being stored in session, sessions don't cause us problems, and as only 1 piece of code knows whats in the session, we could refactor it easily.

For anything else, sessions are evil. I prefer to maintain viewstate within a page that needs it, or otherwise just persist the temporary state in the database.

回复收藏 0 原文