用户角色 - 为什么不存储在会话中?
我正在将 ASP.NET 应用程序移植到 MVC,并且需要存储与经过身份验证的用户相关的两个项目:角色列表和可见项目 ID 列表,以确定用户可以看到或不能看到的内容。
我们过去曾将 WSE 与 Web 服务结合使用,这使得事情变得异常复杂并且无法正确调试。现在我们正在放弃 Web 服务,我期待着大幅简化解决方案,只是将这些内容存储在会话中。一位同事建议使用角色和会员提供者,但在研究这个问题时,我发现了许多问题:
a)它与 WSE 存在类似但不同的问题,因为它必须以非常有限的方式使用,这使得它甚至变得棘手编写测试;
b) RolesProvider 的唯一缓存选项是基于 cookie,我们出于安全原因拒绝了该选项;
c) 它带来了无穷无尽的并发症和额外的不需要的行李;
简而言之,我们想要做的就是以安全的方式将两个字符串变量存储在用户会话或等效内容中,并在需要时引用它们。看似十分钟的工作到目前为止已经花费了几天的调查时间,并且为了使问题更加复杂,我们现在发现会话 ID 显然可以伪造,请参阅
http://blogs.sans.org/appsecstreetfighter/2009/06/14/session-attacks-and- aspnet-part-1/
我认为没有简单的方法可以完成这项非常简单的工作,但我发现这难以置信。
任何人都可以:
a) 提供有关如何确保 ASP.NET MVC 会话安全的简单信息,正如我一直认为的那样?
b)建议另一种简单的方法来存储登录用户角色等的这两个字符串变量,而不必如上所述用另一个复杂的噩梦替换一个复杂的噩梦?
谢谢。
I'm porting an ASP.NET application to MVC and need to store two items relating to an authenitcated user: a list of roles and a list of visible item IDs, to determine what the user can or cannot see.
We've used WSE with a web service in the past and this made things unbelievably complex and impossible to debug properly. Now we're ditching the web service I was looking foward to drastically simplifying the solution simply to store these things in the session. A colleague suggested using the roles and membership providers but on looking into this I've found a number of problems:
a) It suffers from similar but different problems to WSE in that it has to be used in a very constrained way maing it tricky even to write tests;
b) The only caching option for the RolesProvider is based on cookies which we've rejected on security grounds;
c) It introduces no end of complications and extra unwanted baggage;
All we want to do, in a nutshell, is store two string variables in a user's session or something equivalent in a secure way and refer to them when we need to. What seems to be a ten minute job has so far taken several days of investigation and to compound the problem we have now discovered that session IDs can apparently be faked, see
http://blogs.sans.org/appsecstreetfighter/2009/06/14/session-attacks-and-aspnet-part-1/
I'm left thinking there is no easy way to do this very simple job, but I find that impossible to believe.
Could anyone:
a) provide simple information on how to make ASP.NET MVC sessions secure as I always believed they were?
b) suggest another simple way to store these two string variables for a logged in user's roles etc. without having to replace one complex nightmare with another as described above?
Thank you.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
如果会话无法被劫持,则将用户的角色信息存储在服务器端会话中是安全的。更广泛地重申这一点,如果经过身份验证的会话被劫持,那么用户角色信息存储在哪里并不重要。
我建议不要对您链接到的文章抱有太大信心,但从您的链接链接到的 2002 年年份报告很有趣。以下是我的要点:
不要接受嵌入在 URL 中的会话 ID。
将您的时间集中在消除跨站点脚本危险上,即扫描所有用户提供的数据并解析出可执行的 java 脚本。
将您的时间集中在消除
为完整的域(例如 myapp.mydomain.com)发出 cookie
将您的域托管在高级 DNS 运营商处,例如只允许DNS 从预设远程 IP 地址更改。
不要发出持久会话 cookie。
如果某人到达登录页面时其 sessionID 已与经过身份验证的会话关联,则重新发出会话 cookie。
如果
更好的是,始终在成功验证后发出新的会话 cookie 并放弃之前的会话。 (可以在 IIS 中配置吗?)
Storing the user's role information in a server-side session is safe providing a session cannot be hijacked. Restating this more broadly, it does not matter where user role info is stored if an authenticated session is hijacked.
I advise not putting too much faith in the article you linked to, but the 2002 vintage report linked to from your link is of interest. Here are my take-aways:
Don't accept session IDs embedded in URLs.
Focus your time on eliminating cross site scripting dangers i.e. scan all user supplied data and parse out executable java script.
Issue cookies for complete domains (e.g. myapp.mydomain.com)
Host your domain at a high class DNS operator e.g. one that only allows DNS changes from a preset remote IP address.
Don't issue persistent session cookies.
Reissue a session cookie if someone arrives at a login page with a sessionID already associated with an authenticated session.
Better still, always issue a new session cookie on successful authentication and abandon the prior session. (Can this be configured in IIS?)
建立安全连接的唯一方法是使用 SSL。如果低于这个标准,您只需在“足够安全”的情况下进行评估即可。
会话变量可以很好地存储值,但 Web 服务器有时可能会被回收,这会导致会话丢失。发生这种情况时,您必须重新验证用户身份并再次设置会话变量。
会话变量本身是完全安全的,因为它永远不会离开服务器,除非您专门将其复制到响应中。
The only way to make a secure cinnection is to use SSL. Anything less than that, and you simply have to make the evaluation when it's "safe enough".
A session variable works fine for storing a value, with the exception that the web server may be recycled now and then, which will cause the session to be lost. When that happens you would have to re-authenticate the user and set the session variable again.
The session variable itself is completely safe in the sense that it never leaves the server unless you specifically copy it to a response.
您是否考虑过在 MVC 中设置自定义授权标签。我在另一个问题。
在初始授权(登录屏幕或会话启动)时,您也可以使用 IP 地址播种会话值。然后在您的自定义授权中,您还可以验证 IP 是否仍然匹配。这将有助于确保有人不会“窃取”该人的会话。每次访问会话数据时,只需确保传递请求者的 IP 并对其进行一些检查。
Have you considered setting up a custom Authorize tag in MVC. I gave an example of this in another question.
On initial authorization (sign-in screen or session start) you could seed a session value with the IP address also. Then in your custom authorization, you could also verify that IP's still match up as well. This will help make sure that someone isn't 'stealing' the person's session. Everytime you access your session data just make sure to pass the requester's IP and have some check on it.
您是否试图在客户端级别控制对功能的访问?这是我公开角色和项目来控制客户端功能的唯一原因。
或者,您可以创建一个函数来获取允许用户角色使用的项目,然后即使在返回给 Web 应用程序的项目之外调用该函数,您也可以阻止用户访问它们。
4Guys 似乎展示如何使用角色控制功能。
Are you trying to control the access to functions at the client level? That is the only reason I would expose the roles and items to control client side functions.
Alternatively, you could create a function to obtain the items that the roles of the user are allowed to use, and then even if the function is called outside of the items given back to the web application, you can prevent the user from accessing them.
4Guys seems to show how to control functions with the roles.
我过去使用的方法是结合使用 cookie 的对称加密和 SSL。加密响应中的用户信息并在请求中解密。我并不是说这是万无一失的或 100% 安全的,而且我不想在银行应用程序上这样做,但它对于许多用途来说已经足够好了。
会话变量的主要问题是,如果您将它们存储在Proc中而不是持久化它们,那么您需要将“粘性”会话应用于网络场环境中的负载平衡。 Guffa 是正确的,如果没有这种持久性,会话变量偶尔会丢失,从而导致糟糕的用户体验。
粘性会话可能会导致负载平衡不均匀,可能会降低横向扩展的价值。
如果您要保留会话,以便网络场中的所有服务器都可以访问它们,那么您最好使用 Guid 来识别用户,在 cookie 中对其进行加密,然后从数据存储中检索用户记录每次。
The approach I have used in the past is to use symmetric encryption of a cookie alongside SSL. Encrypt the user information in the reponse and decrypt it in the request. I'm not claiming this is foolproof or 100% secure and I wouldn't want to do this on a banking application, but it is good enough for many purposes.
The main issue with session variables is that if you store them inProc rather than persisting them, then you need to apply 'sticky' sessions to your load balancing in a web farm environment. Guffa is correct that without this persistence session variables will occasionally be lost causing a poor user experience.
Sticky sessions can lead to uneven load balancing, perhaps reducing the value of being able to scale out.
If you are going to be be persisting the sessions so they can be accessed by all servers in your web farm, you may be better off using a Guid to identify the user, encrypting this in a cookie and retrieving the user record from your data store each time.
我明显的问题是,为什么要在会话中存储用户角色?
这是我对您的询问的回答,这有什么帮助。我附上了一个小型演示应用程序,供您查看并理解我的观点。当您在 Visual Studio 中打开此项目时,单击顶部的“项目”选项卡并选择“asp.net 配置”。从将显示的页面中,您可以执行用户管理操作。
您需要以某种安全的方式存储用户的角色?这个问题的答案是,当我们有 ASP.NET 成员资格、配置文件和角色框架来帮助我们解决这个问题时,您无需担心存储任何用户的角色。您需要做的就是在 aspnet 数据库中创建一个角色并将该角色分配给用户。
接下来您想以某种安全的方式存储两个字符串。我建议您使用用户配置文件来存储用户特定信息。这样,您就可以从 profilecommon 类中获得所需的信息。
另请参阅我的博客末尾附加的演示应用程序 http://blogs.bootcampedu.com/blog/post/Reply-to-httpstackoverflowcomquestions1672007user-roles-why-not-store-in-session.aspx
My obvious question is that why do you want to store a users role in session ?
Here is my answer to your query, how this helps. I have attached a small demo application for you to take a look at and understand my points. When you open this project in visual studio, click on the project tab on the top and select asp.net configuration. From the page that will show up you can do the user administration stuff.
You need to store the roles of a user in some secure manner ? The answer to this question is that there is no need for you to worry about storing the role for any user, when we have the asp.net membership, profiles and roles framework to help us out on this. All you need to do is create a role in the aspnet database and assign that role to the user.
Next you want to store two string in some secure manner. I suggest you user profile for storing user specific information. This way you have the information available to you where ever you want from the profilecommon class.
Also please see the attached demo application placed at the end of my blog http://blogs.bootcampedu.com/blog/post/Reply-to-httpstackoverflowcomquestions1672007user-roles-why-not-store-in-session.aspx
只是一个建议,您可以考虑使用这个小库:
http://www.codeproject。 com/KB/aspnet/Univar.aspx
它有一个 cookie 的服务器端实现,所有 cookie 都可以存储在服务器上,同时使用 asp.net 身份验证来识别用户。它支持加密,而且非常灵活,可以轻松地从一种存储类型切换到另一种存储类型。
Just a suggestion, you might consider using this little library:
http://www.codeproject.com/KB/aspnet/Univar.aspx
It has a server side implementation of the cookie whereby all cookies can be stored on the server while asp.net authentification is used to identify the user. It supports encryption and is also very flexible making it very easy to switch from one storage type to another.