关于 HttpCookie 的问题

发布于 2024-11-04 03:02:31 字数 405 浏览 1 评论 0原文

我需要生成一个具有秘密值的 cookie，我是唯一知道它的人。
想法？

更新
我有一个处理程序页面，我调用此页面以使用 Ajax 获取 RSSFeed 的每个人都可以使用该页面。我需要做的是防止其他人伪造 HttpRequest 并获取返回的数据我尝试使用身份验证表单，但也没有什么好处我听说过随机数令牌的东西，但我不知道如何使用它。！
更新2
阅读这这正是我的问题..

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

稀香 2024-11-11 03:02:31

通常，将敏感信息存储在 cookie 中是一个坏主意，但您可以使用仅在客户端未使用 cookie 时服务器才知道的密钥对其进行加密。您可以使用 AesManaged 类对其进行加密，并将密钥存储在安全的地方，例如具有锁定 ACL 的文件。

以下是如何执行此操作的示例。

public string GetEncryptedCookieValue(string cookieKey)
{
    using (var aes = new AesManaged())
    {
        aes.Key = new byte[0];//TODO: Replace this with getting the secret key.
        aes.IV = new byte[0];//TODO: Replace this with getting the secret IV.
        var cookie = Request.Cookies[cookieKey];
        var data = Convert.FromBase64String(cookie.Value);
        using (var transform = aes.CreateDecryptor())
        {
            var clearData = transform.TransformFinalBlock(data, 0, data.Length);
            return Encoding.UTF8.GetString(clearData);
        }
    }
}

public void SetEncryptedCookieValue(string cookieKey, string value)
{
    using (var aes = new AesManaged())
    {
        aes.Key = new byte[0];//TODO: Replace this with getting the secret key.
        aes.IV = new byte[0];//TODO: Replace this with getting the secret IV.
        var clearData = Encoding.UTF8.GetBytes(value);
        using (var transform = aes.CreateEncryptor())
        {
            var data = transform.TransformFinalBlock(clearData, 0, clearData.Length);
            Response.SetCookie(new HttpCookie(cookieKey, Convert.ToBase64String(data)));
        }
    } 
}

我再次强调，不应鼓励将敏感信息存储在 cookie 中。如果您将问题更新为您想要完成的任务，也许有一个更合理的解决方案。

Generally storing sensitive information in a cookie is a bad idea, but you could encrypt it with a key that is only known to the server if the cookie isn't being used client-side. You can use the AesManaged class to encrypt it, and store the Key somewhere safe, such as a file with locked down ACLs.

Here is an example of how to do so.

public string GetEncryptedCookieValue(string cookieKey)
{
    using (var aes = new AesManaged())
    {
        aes.Key = new byte[0];//TODO: Replace this with getting the secret key.
        aes.IV = new byte[0];//TODO: Replace this with getting the secret IV.
        var cookie = Request.Cookies[cookieKey];
        var data = Convert.FromBase64String(cookie.Value);
        using (var transform = aes.CreateDecryptor())
        {
            var clearData = transform.TransformFinalBlock(data, 0, data.Length);
            return Encoding.UTF8.GetString(clearData);
        }
    }
}

public void SetEncryptedCookieValue(string cookieKey, string value)
{
    using (var aes = new AesManaged())
    {
        aes.Key = new byte[0];//TODO: Replace this with getting the secret key.
        aes.IV = new byte[0];//TODO: Replace this with getting the secret IV.
        var clearData = Encoding.UTF8.GetBytes(value);
        using (var transform = aes.CreateEncryptor())
        {
            var data = transform.TransformFinalBlock(clearData, 0, clearData.Length);
            Response.SetCookie(new HttpCookie(cookieKey, Convert.ToBase64String(data)));
        }
    } 
}

Again, I would stress that storing sensitive information in a cookie is a practice that should be discouraged. If you update your question to what you are trying to accomplish, perhaps there is a more reasonable solution.

回复收藏 0 原文

~没有更多了~