表单验证问题
我在 ASP.NET 2.0 网站中使用表单身份验证。 今天在测试过程中我遇到了重大问题。
身份验证后,我有默认页面createuser.aspx。 从该页面我正在创建新用户。它工作正常。
有一个注销按钮,我可以在其中清除所有会话并将其重定向到登录页面。 一切都工作正常。
在测试过程中,我使用了 fiddler,其中我将 createuser.aspx url 拖放到 fiddler 的请求构建器选项中,并在更改 fiddler 内的文本框值后单击“执行”。 我很震惊这些信息保存在数据库中。
这意味着我在 ASP.NET 表单身份验证中遗漏了一些重要的内容,因为注销后所有会话/cookie 都应该过期,并且 fiddler 不应该工作。
希望大家理解我的问题。 请帮我找出解决方案。 我对身份验证cookie存有疑问。 我不知道我说得对还是不对?
I am using form authentication inmy ASP.NET 2.0 website. Today during testing i was faced major probleM.
After authentication, i have default page createuser.aspx. From that page i am creating new user.It is working fine.
There is logout button in which i am clearing all sessions and redirecting it in login page. All was working fine.
During testing i used fiddler in which i drag and drop createuser.aspx url in request builder option of fiddler and after changing textbox value inside fiddler i click on execute.
I was shocked the information is saved in database.
It means i was missing some important thing in asp.net form authentication because after logout all sesission/cookies should expire and fiddler should not work.
I hope you all understand my problem. Please help me to find out solution. I have doubt over authentication cookies. I don't know i am correct or not?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
请参阅 asp.net 站点上的安全教程。
See Security Tutorials on the asp.net site.
是的,注销您的网络应用程序会清除您的 cookie。
但是,在 Fiddler 中拖动上一个请求并将其放到请求生成器上将复制身份验证 cookie。
这意味着当您在 Fiddler 中执行请求时,您将发送正在重新验证的身份验证 cookie,因此 CreateUser.aspx 中的操作确实会触发,并且新用户详细信息将存储在数据库中。
如果在 Fiddler 的请求标头部分中,您删除了 cookie 中从 .ASPXAUTH= 开始直到并包括下一个 ; 的部分。 可能还有 ASP.NET_SessionId 值,您会发现它按您的预期工作。
如果您想确保这种行为不可能发生,您可能还需要存储某种“已登录此会话”标志,您也可以在注销时清除该标志,并在在执行插入之前,使用 CreateUser 的代码隐藏(如果您需要在多个页面上执行此行为,则使用某些基类)。
编辑以回复评论:
那么有几件事会对您有所帮助:
将网站的该区域置于 SSL 下 - 因此某人拦截流量会更加困难 - 但并非不可能,确实 fiddler 可以执行中间人攻击,并向客户端提供一个自行生成的证书,允许其解密信息。
正如我上面所说,您可能想要检查用户是否已通过身份验证(通过 cookie)以及是否设置了某些会话值 - 当您清除会话时,当用户通过 cookie 重新验证。
ASP.NET应该重新验证 cookie,因为这就是身份验证如何跨越会话超时和应用程序重新启动的方式 - 删除所有会话数据,应用程序无法知道来自 fiddler 的请求是否是一个会话刚刚被杀死,或者超时或在上次重新启动之前创建。
对评论的进一步回应:
正如 Blowdart 正确指出的那样,会话和身份验证 cookie 不相关,并且服务器不会保留它在任何地方发布的所有身份验证 cookie 的列表。 因此,对于服务器来说,在表单身份验证超时内发出的 cookie 与在超时内发出但已被删除的 cookie 之间没有区别 - 如果用户重新创建该 cookie 值,则它是有效的 cookie。 此支持文章提供有关 cookie/票据组合的更多信息:
正如我之前所说,如果服务器不接受 cookie 中的身份验证票证,并且没有有关用户的其他信息,那么持久 cookie 将不起作用,无论用户多久选择一次“下次记住我” ”,服务器不会记住它们,这就是为什么我建议您不要只依赖身份验证状态,还要依赖会话中的某些值(注销后 Fiddler 请求不会存在这些值,因为服务器会已销毁该信息)。
Logging out of your web app will clear your cookies, yes.
However, dragging a previous request in Fiddler and dropping it on the Request Builder will copy the authentication cookie.
This means that when you execute the request in Fiddler, you're sending the auth cookie, which is being re-vaildated, and therefore the actions in CreateUser.aspx will indeed fire, and the new user details will be stored in the database.
If in the Request Headers section of Fiddler you remove the part of the cookie starting .ASPXAUTH= up to and including the next ; and probably also the ASP.NET_SessionId value as well, you'll find it working as you expect.
If you want to ensure that this sort of behaviour isn't possible, you'll probably also want to store some sort of "Logged In This Session" flag, that you clear down on Logout as well, and check for that value in the code-behind of CreateUser (or some base class if you need this behaviour on multiple pages) before performing the insert.
Edit to respond to comments:
A couple of things will help you then:
Put this area of the site under SSL - therefore it will be a lot harder for someone to intercept the traffic - but not impossible, indeed fiddler can perform a man-in-the-middle attack, and provide the client with a self generated certificate which allows it to decrypt the information.
As I said above, you'll probably want to check that both the user is authenticated (from the cookie) and that some session value is set - as you're clearing down the session, this will no longer exist when the user is re-validated via the cookie.
ASP.NET should re-validate the cookie, as that's how authentication can span session timeouts and application restarts - be removing all session data the application has no way of knowing whether the request from fiddler is a session it's just killed, or one that timed out or was created before the last restart.
Further response to comments:
As Blowdart rightly points out, the Session and Authentication cookies aren't related, and the server doesn't keep a list of all the authentication cookies it has issued anywhere. Thus there is no difference to the server between a cookie that it issued within the forms authentication timeout, and one that was issued within the timeout that has since been removed - if the user recreates that cookie value, then it's a valid cookie. This Support Article has more infomation on the cookie/ticket combination:
As I've said earlier, if the authentication ticket in the cookie wasn't accepted by the server, with no other information about the user, then persistent cookies would not work, and no matter how often the user selected "Remember me next time", the server wouldn't remember them, this is why I recommend that you don't rely on just the authentication state, but also some value in the session (which wouldn't exist for the Fiddler request after logout because the server will have destroyed that information).
我们需要来自在线用户的列表。 删除您的用户,然后根据每个请求检查它
如果用户不存在或者登录时间超过一天,应该给出错误信息
We need from the list of online users. Delete your user and then check it on each request
If the user did not exist or the login time was more than one day, he should give an error message