避免 Web 应用程序的会话劫持
我阅读了有关会话劫持的文章,并想了解更多与之相关的信息。目前我的 Web 应用程序是在 ASP.NET 中开发的,正在使用 Cookieless =true 模式进行会话状态。我们使用 HTTPS,这是一种安全连接,可以减少会话劫持。我知道当我们使用 Cookieless 时,会话 ID 嵌入在 URL 中,如果用户将此 URL 传递给某人,并且如果会话仍然存在,其他用户将能够登录,有时这可能会很危险。所以只是想知道 HTTPS 是否足够,或者我应该采取一些措施来保护我的网络应用程序。
I read about Session Hijacking articles and would like to some more information related to it. Currently my web application which is developed in ASP.NET , is using Cookieless =true mode for sessionstate. We are using HTTPS which is a secure connection which will reduce session hijacking. I know when we using Cookieless the session id is embedded in URL which can be dangerous sometimes if user pass this URL to somebody and other user will be able to log in if session is still alive. So just want to know is HTTPS is more than enough or i should do something to secure my web app.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
HTTPS 仅防止在客户端和服务器(或服务器和客户端)之间抓取和更改数据。如果用户与朋友(或黑客)共享链接,它对您没有帮助。
作为一个选项,您可以在会话启动时将客户端 IP 保存在会话变量中,并检查每个请求当前 IP 和会话中的 IP 是否相同。这将提供更多的安全性。
HTTPS protects only from grabbing and changing data between client and server (or server and client). It can't help you if user share link with friends (or hackers :) )
As an option you can save client IP in session variables on session start and check on every request if current IP and IP from session are the same. This will provide a bit more security.
如果客户端 IP 发生变化,您可以结束会话并强制他们重新登录。
You could end session if client IP changes and force them to re-login.
会话劫持可能通过多种方式发生。 HTTPS 可防止嗅探,但 XSS 是迄今为止最常见的攻击。您可以使用 httponlycookies 来防止访问
document.cookie
的 xss 攻击,但随后攻击者可以“利用”会话 xmlhttprequest(Sammy 蠕虫对 MySpace 执行了此操作)。说到会话骑行,您应该查看 CSRF。如果您将会话 ID 存储在数据库中,甚至 SQL 注入也可用于劫持会话,但并非所有 Web 应用程序都会这样做。使用 httponlycookies,确保它们仅是 https,所有内容都使用 https。 不要使用asp.net的“cookiesless”会话,这会使您容易受到的攻击会话固定。会话 ID 应始终使用 cookie 进行传递,切勿以 GET 或 POST 方式传递。您可能需要考虑使用 STS。
Session hijacking can happen though a number a methods. HTTPS prevents sniffing, but XSS is by far the most common attack. You can use httponlycookies to prevent an xss attack from accessing
document.cookie
, but then the attacker can just "ride" on the session xmlhttprequest (The Sammy worm did this to MySpace). Speaking of session riding, you should look into CSRF. Even SQL Injection can be used to hijack a session if you are storing the session id in the database, but not all web apps do this.Use httponlycookies, make sure they are https only, use https for everything. Don't use asp.net's "cookiesless" sessions, this makes you vulnerable to Session Fixation. Session id's should always be passed using cookie, and never passed as GET or POST. You may want to consider using STS.
还要考虑到您的会话 ID 可能会在 HTTP_REFERER 标头中向外部人员泄露。如果用户点击在同一浏览器窗口中打开的链接,则 HTTP_REFERER 将包含最后访问的页面的 URL(包括 URL 参数中的会话 ID)。
如果链接指向您的服务外部,这将是一个问题。
Consider also that your session id will possibly be revealed to outsiders in HTTP_REFERER header. HTTP_REFERER will contain URL of the last page accessed - including the session id in URL's parameters-, if a user follows a link which opens in the same browser window.
That will be a problem if the link points outside from your service.