如何克服会话劫持

本文介绍了如何克服会话劫持的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我正在使用会话进行登录前和发布，如下所示，

Hi,

I am using session for my pre and post login like below,

// Login Page Code..

protected void page_onload(object sender, eventargs e)
{
   if(string.IsNullOrEmpty(Convert.Tostring(session["LoginId"])))
        session["LoginId"] = "Guest";
}


protected void page_btnLogin_Click(object sender, eventargs e)
{
   session["LoginId"] = "SomeUserId";
   response.redirect("PostloginPageURL");
}

// Post login Page Code..

protected void page_onload(object sender, eventargs e)
{
   if(!string.Equals(Convert.Tostring(session["LoginId"]),"SomeUserId"))
       response.redirect("loginPageURL");
   else
      //Fetch some code...
}

如果您看到上面的内容，我正在使用同一会话来管理我的登录前和登录后.这可能会通过使用会话ID导致会话劫持.

因此，经过长时间的搜索，我发现需要更改sessionId，因为登录前和登录后会话都具有相同的sessionid.

再次进行搜索，我得到了如下创建新sessionid的代码

Above if you see, i am using same session to manage both my pre and post login. This may lead to session hijacking by using the session id.

So after a long time search i came to a conclution that one need to change the sessionId, because both pre and post login session has same sessionid.

Again doing some search i got the code of creating new sessionid as below

protected void page_btnLogin_Click(object sender, eventargs e)
{
   session.Abandon();
   Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
   session["LoginId"] = "SomeUserId";
}

上面的代码成功生成了新的sessionid.
但是我无法取回我保存的价值.即我无法在另一页上获得会话的价值.

我尝试过
所有以下内容:

删除了session.Abandon();并检查--->失败
尝试了response.redirect("MyUrl"，false)--->失败
尝试过Server.transfer("MyUrl")--->失败

有效的答案表示赞赏.

谢谢.

Above code is successful in generating new sessionid.
But i am unable to retrieve my saved value. i.e I am unable to get value of session on the other page.

I tried
all below:

Removed session.Abandon(); and checked ---> FAILED
Tried response.redirect("MyUrl",false) ---> FAILED
Tried Server.transfer("MyUrl") ---> FAILED

Valid answers are appreciated.

Thank you.

推荐答案

void RegenerateId()
{
    var manager = new SessionIDManager();
    string oldId = manager.GetSessionID(Context);
    string newId = manager.CreateSessionID(Context);
    bool isAdd, isRedir;
    manager.SaveSessionID(Context, newId, out isRedir, out isAdd);
    var ctx = HttpContext.Current.ApplicationInstance;
    HttpModuleCollection mods = ctx.Modules;
    var ssm = (SessionStateModule)mods.Get("Session");
    var fields = ssm.GetType().GetFields(BindingFlags.NonPublic | BindingFlags.Instance);
    SessionStateStoreProviderBase store = null;
    FieldInfo rqIdField = null;
    FieldInfo rqLockIdField = null;
    FieldInfo rqStateNotFoundField = null;
    foreach (var field in fields)
    {
        if (field.Name.Equals("_store")) store = (SessionStateStoreProviderBase)field.GetValue(ssm);
        if (field.Name.Equals("_rqId")) rqIdField = field;
        if (field.Name.Equals("_rqLockId")) rqLockIdField = field;
        if (field.Name.Equals("_rqSessionStateNotFound")) rqStateNotFoundField = field;
    }
    object lockId = rqLockIdField.GetValue(ssm);
    if ((lockId != null) && (oldId != null)) store.ReleaseItemExclusive(Context, oldId, lockId);
    rqStateNotFoundField.SetValue(ssm, true);
    rqIdField.SetValue(ssm, newId);
}

这篇关于如何克服会话劫持的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！