User.Identity.Name 有多强?
我正在编写一个使用 NTLM 身份验证的 ASP.Net MVC 应用程序,因此用户无需在该站点注册。 如果我禁用了匿名访问,我可以使用 User.Identity.Name 作为数据库中的所有权密钥吗? 我想做的是能够发出搜索,例如
from station in db.stations where station.user == username select *;
这是否足以可靠地知道用户是谁,或者是否存在令人讨厌的用户可以欺骗名称字符串并获取他们不应该访问的数据?
I am writing an ASP.Net MVC application that uses NTLM authentication, so users don't need to register with the site. If I have disables anonymous access, can I use User.Identity.Name as the ownership key in the database. What I'd like to do is to be able to issue a search such as
from station in db.stations where station.user == username select *;
Is this enough to know reliably who the user is, or is there someway a nasty user could spoof the name string and gain access to data that they shouldn't?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
该名称是从会话中填写的,因此攻击者必须欺骗会话 cookie 来劫持用户的会话并获得访问权限。 ASP.NET 会话 cookie 被加密以帮助防止这种情况发生,但您绝对应该让会话过期,这样坚定的攻击者就无法花费无限的时间尝试破解加密。 将 cookie 设置为 httpOnly 还可以帮助防止浏览器中的恶意脚本访问 cookie。
以下是参考,了解保护 ASP.NET 2.0 Web 的最佳实践地点。 其中大部分内容仍然适用,但可能需要转换为 MVC。
The name is filled in from the session so the attacker would have to spoof the session cookie to hijack the user's session and get access. The ASP.NET session cookie is encrypted to help prevent this, but you should definitely have the session expire so that a determined attacker can't spend an unlimited time trying to break the encryption. Setting your cookies to httpOnly can also help prevent a malicious script in the browser from accessing the cookie.
Here's a reference for best practices for securing an ASP.NET 2.0 web site. Much of it is still applicable, but may need to be translated to MVC.