我不知道如何以美元ASP.NET(请参阅en.wikipedia/wiki/Session_fixation)
I'm wondering how to prevent Session fixation attacks in ASP.NET (see en.wikipedia/wiki/Session_fixation)
我会处理这个通常会产生,每当有人登录发出新的会话ID。但是,这一级别的控制有可能在ASP.NET的土地?
My approach would to this would normally be to generate and issue a new session id whenever someone logs in. But is this level of control possible in ASP.NET land?
推荐答案一直在做更多的挖掘这一点。在任何Web应用程序prevent会话固定攻击的最佳方法是发出一个新的会话标识符,当用户登录。
Have been doing more digging on this. The best way to prevent session fixation attacks in any web application is to issue a new session identifier when a user logs in.
在ASP.NET Session.Abandon()不足以完成这个任务。微软状态 support.microsoft/kb/899918 认为:当你放弃会话,会话ID的cookie不从用户的浏览器中移除。 因此,只要会话已被放弃,到同一个应用程序的任何新请求都将使用相同的会话ID,但将有一个新的会话状态实例,
In ASP.NET Session.Abandon() is not sufficient for this task. Microsoft state in support.microsoft/kb/899918 that: ""When you abandon a session, the session ID cookie is not removed from the browser of the user. Therefore, as soon as the session has been abandoned, any new requests to the same application will use the same session ID but will have a new session state instance.""
一个bug修复已要求这在connect.microsoft/feedback/viewfeedback.aspx?FeedbackID=143361&wa=wsignin1.0&siteid=210#details
A bug fix has been requested for this at connect.microsoft/feedback/viewfeedback.aspx?FeedbackID=143361&wa=wsignin1.0&siteid=210#details
有一种变通方法,以确保新的会话ID是在 support.microsoft/kb/899918生成详细这就需要调用Session.Abandon然后清除会话ID cookie。
There is a workaround to ensure new session ids' are generated detailed at support.microsoft/kb/899918 this involves calling Session.Abandon and then clearing the session id cookie.
会更好,如果ASP.NET没有依靠开发商做到这一点。
Would be better if ASP.NET didn't rely on developers to do this.
更多推荐
会话固定在ASP.NET
发布评论