问题描述
有人问我关于 ASP.NET 网站表单身份验证的 cookie 重放攻击.
I am being asked about cookie replay attacks with my ASP.NET websites forms authentication.
我已遵循以下建议来防止任何攻击,但我认为如果有人设法获取 cookie(尽管只是很短的时间),该站点仍然容易受到攻击.有没有办法在注销时完全破坏表单身份验证会话,这样即使有人偷了 cookie 也不会有恶意使用它的机会
I have followed the advice below to protect against any attack but think that the site is still vulnerable if somebody manages to get at the cookie (albeit only for a short time). Is there a way to completely destroy the forms authentication session on logout so that even if someone had stolen the cookie there would be no chance of using it maliciously
遵循的建议是
我们相信我们已经采取了所有负责任的措施来防止在 ASP.NET 范围内发生这种情况.请参阅下面的详细回复.
We believe we have taken all responsible steps we can to protect against this within the confines of ASP.NET. Please see detailed response below.
但是,我们已经实施了 Microsoft 推荐的步骤来防御这种情况(请参阅 http://support.microsoft.com/default.aspx?scid=kb;en-us;900111)
However we have implemented the recommended steps from Microsoft to defend against this (see http://support.microsoft.com/default.aspx?scid=kb;en-us;900111)
· 身份验证 cookie 永远不会写入客户端机器,因此很难窃取.
· The authentication cookie is never written to a client machine making it hard to steal.
· 应用程序可通过 SSL 运行,因此绝不会通过非安全连接发出 cookie
· The application is run-able via SSL so a cookie is never issued over a non secure connection
· 我们强制执行绝对过期时间为 15 分钟,这意味着任何问题 cookie 在该时间限制后都将无用
· We enforce absolute expiration with a 15 minute timeout meaning that any issues cookie is useless after that time limit
· 我们使用 httpOnly cookie,因此没有人可以通过编程方式拦截或更改此 cookie.
· We use httpOnly cookies so that no-one can pro grammatically intercept or alter this cookie.
因此,即使上述预防措施被打破,我们认为这是极不可能的,恶意用户也只有 15 分钟的时间来打破预防措施并成功登录
So even if the above precautions were broken, which we think highly unlikely, a malicious user would only have 15 minute window to break the precautions and successfully log in
推荐答案
一个简单的想法是生成一个随机的 guid 并将其存储在 cookie 的用户数据部分.然后,当用户注销时,您从用户数据中检索 guid 并将其写入服务器端存储库,并附上此会话"已结束的注释.
A simple idea is to generate a random guid and store it in the user data section of the cookie. Then, when a user logs out, you retrieve the guid from the user data and write it in a server side repository with an annotation that this "session" has ended.
然后,有一个 http 模块来检查每个请求,您的 cookie 的 userdata 部分中的 guid 是否没有指向结束的会话.如果是,则终止请求并警告重复使用过期的 cookie.
Then, have an http module that checks upon every request whether or not the guid from the userdata section of your cookie doesn't point to a ended session. If yes, terminate the request with a warning that expired cookie is reused.
这会带来每个请求的额外查找成本.
This comes with a cost of an additional lookup per request.
这篇关于表单认证 - Cookie 重放攻击 - 保护的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!