我可以通过将 ASP.NET FormsAuthentication cookie 与会话 ID 相关联来使其更安全吗?
我们注意到可以在另一台计算机上重新创建 ASP.NET FormsAuthentication cookie 的副本,从而允许第二台计算机无需登录即可进行身份验证。
一个建议的解决方案是将会话 ID 存储在 中FormsAuthenticationTicket.UserData 并检查 Application_AuthenticateRequest() 内的两个值是否匹配。
我们正在使用:
FormsAuthenticationTicket.IsPersistent = false;
这种将 FormsAuthentication cookie 与会话 ID 关联的方法是个好主意吗?
We've noticed that it's possible to recreate a copy of an ASP.NET FormsAuthentication cookie on another machine, allowing the second machine to authenticate without needing to log in.
One suggested solution to this has been to store the session ID within FormsAuthenticationTicket.UserData and to check that the two values match inside Application_AuthenticateRequest().
We're using:
FormsAuthenticationTicket.IsPersistent = false;
Is this approach of associating FormsAuthentication cookie with the session ID a good idea?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我认为你对这个问题想得太多了。 复制 cookie 的能力只是 cookie 的一个固有问题 - 任何人都可以拦截任何 cookie 并通过在另一台机器上设置它来模拟其中的任何数据。
身份验证 cookie 的“安全性”来自这样一个事实:没有人可以(据说)手工制作 cookie 来伪造经过身份验证的用户。 然而,一旦创建了cookie,它当然可以用于身份验证。 这意味着,为了让您的“问题”发生,您仍然需要先有有效的用户登录。 如果该用户通过将其 cookie 复制到其他计算机来向每个人提供访问权限来滥用系统,那么这与用户只是告诉每个人她的用户名和密码是完全相同的,只是更加迟钝。 因此,问题不在于 cookie 的复制,而在于用户本身。
另一个攻击媒介是,如果网络受到损害,有人可以通过嗅探器或其他方式拦截流量以拼凑 cookie,但同样,这是 cookie 本身固有的。 这称为会话劫持,防止这种情况的唯一方法是为您的站点使用 SSL。
如果您真的很担心,我只需将身份验证和会话超时设置为相同,然后在您的 global.asax 文件中,只要用户的会话过期,只需调用 FormsAuthentication.Signout() 即可。 每当用户完成会话时,这都会使身份验证失效,迫使他们稍后再次登录。 当然,这可能会给您的用户带来极大的烦恼...
我也强烈推荐 这篇 MSDN 文章。 它可能比我更好地回答你的问题。
I think that you are overthinking the problem. The ability to copy a cookie is just an inherent problem of cookies - anyone can intercept any cookie and impersonate whatever data is in there by setting it up on another machine.
The "security" of the authentication cookie comes from the fact that no one can (supposedly) craft the cookie by hand to fake an authenticated user. However, once the cookie is created, of course it can be used for authentication. This means that in order for your "problem" to happen, you still need to have a valid user log in first. If that user is abusing the system by copying his cookie to other machines to give everyone access, it's exactly the same thing as the user just telling everyone her username and password, except far more obtuse. Therefore, the problem isn't the copying of the cookie - it's the user herself.
Another attack vector would be if the network is compromised and someone can intercept the traffic to piece together the cookie via a sniffer or whatever - but again, this is inherent with cookies themselves. This is called Session Hijacking, and the only way to protect against this is to use SSL for your site.
If you're really worried about it, I'd just set your authentication and session timeouts to be the same, and then in your global.asax file, simply call FormsAuthentication.Signout() whenever the user's session expires. This invalidates the authentication whenever the user is done their session, forcing them to log in again later. Of course, this might be an extreme annoyance to your users...
I would also highly recommend This MSDN article. It probably answers your questions a lot better than I can.