I've created an web authentication app using c# & asp.net and want to bounce off how secure you think it is. All navigation is done by https.
我已经使用c#和asp.net创建了一个Web身份验证应用程序,并希望避开您认为它的安全性。所有导航均由https完成。
User Registration
- User enters 3 datapoints (SSN,Lname and DOB). If that combination is found in our system, a session variable is set and navigates to next page.
- If session variable for #1 is set, proceed and ask for username, pwd, security q&A etc. Use Linq to save data and verify session variable before actual save event. PWD and security answer is hashed using salt and sha. (use validation controls and textbox limits to limit input)
用户输入3个数据点(SSN,Lname和DOB)。如果在我们的系统中找到该组合,则会设置会话变量并导航到下一页。
如果设置了#1的会话变量,请继续并询问用户名,密码,安全问答等。使用Linq保存数据并在实际保存事件之前验证会话变量。使用salt和sha对PWD和安全性答案进行哈希处理。 (使用验证控件和文本框限制来限制输入)
Reset password
- Same as #1 in registration but includes username. If ok, set step 1 session variable.
- If step 1 session variable is set, ask security question up to 3x. Salt/hash and verify to database salt/hash. If match, set step 2 session variable.(use validation controls and textbox limits to limit input)
- Check for step 2 session variable. Ask for new pwd. Hash/salt and save using LINQ.
与注册中的#1相同,但包括用户名。如果确定,请设置第1步会话变量。
如果设置了第1步会话变量,请提出最高3倍的安全问题。 Salt / hash并验证数据库salt / hash。如果匹配,则设置步骤2会话变量。(使用验证控件和文本框限制来限制输入)
检查第2步会话变量。要求新的密码。哈希/盐并使用LINQ保存。
Login (use validation controls and textbox limits to limit input)
登录(使用验证控件和文本框限制来限制输入)
- Gather username and password. HASH/salt password that matches username and see if password matches hash. If okay, instatiate user objects and pass to default page.
- All pages inherit from masterpage. Masterpage has code to verify if user objects are set to a valid instance. If not valid user object, logoff is called which redirects to main login page.
收集用户名和密码。匹配用户名的HASH / salt密码,看看密码是否与hash匹配。如果没问题,请设置用户对象并传递到默认页面。
所有页面都从masterpage继承。 Masterpage具有验证用户对象是否设置为有效实例的代码。如果没有有效的用户对象,则调用注销,重定向到主登录页面。
Kind of wordy but wanted to be clear.
有点罗嗦,但想要清楚。
Am I missing anything here? I wanted to use MS's forms auth but decided to roll my own as I had some issues getting some of the custom stuff I wanted done using FBA. By using session variables as step completion markers, does that adequately prevent session stealing or bookmarking? Is there a better way to do this?
我在这里遗漏了什么?我想使用MS的表单auth,但决定自己滚动,因为我有一些问题得到我想用FBA做的一些自定义的东西。通过使用会话变量作为步骤完成标记,这是否足以防止会话窃取或书签?有一个更好的方法吗?
Thoughts please?
3 个解决方案
#1
What aspect of either ASP.NET Forms Authentication or using the Membership Provider bits didn't fit with your needs? I've found both to be very flexible in many different scenarios?
ASP.NET Forms身份验证或使用Membership Provider位的哪些方面不符合您的需求?我发现在很多不同的场景中都非常灵活?
Rolling your own is usually going to make life hard in the future, especially when you need to start making changes. Also your use of a master page to verify a users logon state etc might be fine for now, but when you require more master pages you then start needing to replicate the same blob of code in every masterpage and keep it all consistent. That can then become a maintenance nightmare somewhere down the road.
滚动你自己通常会在未来使生活变得艰难,特别是当你需要开始做出改变时。此外,您使用母版页来验证用户登录状态等现在可能没问题,但是当您需要更多母版页时,您就开始需要在每个母版页中复制相同的代码块并使其保持一致。这可能会成为未来某个地方的维护噩梦。
If you're not using the ready baked authentication tools in the framework you should be plumbing this kind of thing in somewhere else, such in an HttpModule.
如果您没有在框架中使用现成的烘焙认证工具,那么您应该在其他地方管理这种事情,例如在HttpModule中。
I think you should revisit what you're doing. Take a look at implementing your own custom IIdentity objects if you need to hang user specific data/objects off of a user object. Then assign to a custom IPrincipal you can attach to Context.User in ASP.NET.
我想你应该重温你正在做的事情。如果需要从用户对象挂起用户特定的数据/对象,请查看实现自己的自定义IIdentity对象。然后分配给自定义IPrincipal,您可以将其附加到ASP.NET中的Context.User。
@asp316 and @Jack (comment) I would advise grabbing these two books:
@ asp316和@Jack(评论)我建议抓住这两本书:
Developing More-Secure Microsoft® ASP.NET 2.0 Applications by Dominick Baier
由Dominick Baier开发更安全的Microsoft®ASP.NET2.0应用程序
Professional ASP.NET 2.0 Security, Membership, and Role Management by Stefan Schackow
Stefan Schackow的专业ASP.NET 2.0安全性,成员资格和角色管理
You'll be surprised how flexible the built in security infrastructure in .NET really is. There's a lot more to it than just adding a <authentication mode="Forms"> setting to your web.config and slapping a <asp:login runat="server"/> control on a page.
您会惊讶于.NET内置的安全基础架构的灵活性。除了在web.config中添加
#2
The thing about "rolling your own" is that it's very easy to get it wrong in subtle ways such that it appears to work. You then, of course, deploy this code and move on to other things with no clue that anything is wrong. After all, it passed all your tests.
关于“滚动你自己”的事情是,它很容易以微妙的方式弄错,以至于看起来有效。然后,当然,您可以部署此代码并继续处理其他事情,而不知道出现任何问题。毕竟,它通过了所有测试。
A year later it turns out your site was hacked six months previously, and you never even knew it until just then.
一年之后,事实证明你的网站在六个月前被黑了,直到那时你才知道它。
Much better to find a way to rely on an implementation written by security experts.
更好地找到一种依赖安全专家编写的实现的方法。
#3
I think you're pretty well set; I would also lock a user out for a time after a certain amount of bad login attempts (1 hour after 5 bad tries?) and check for time between requests (the AjaxControlToolkit "nobot" works wonders here, in my experience).
我觉得你很好;在一定程度的错误登录尝试(5次不良尝试后1小时?)之后,我还会将用户锁定一段时间并检查请求之间的时间(根据我的经验,AjaxControlToolkit“nobot”在这里工作奇迹)。
One option, rather than using your Master page for the security code, is to implement an Interface that the pages (or Master page) can inherit from; this way, if you ever do expand to multiple master pages, or if you have pages outside of the master, you can continue to use the same security-checking code.
一个选项,而不是使用您的主页面作为安全代码,是实现页面(或主页面)可以继承的接口;这样,如果您扩展到多个母版页,或者如果您有母版之外的页面,则可以继续使用相同的安全检查代码。
Depending on your requirements, I'd shy away from (required) security questions; I always forget mine. You're already checking for SSN, BDay, Last Name, username, and password; anyone who knows all of this probably can guess your mother's maiden name.
根据您的要求,我会回避(必需的)安全问题;我总是忘记我的。您已经在检查SSN,BDay,姓氏,用户名和密码;知道所有这一切的人可能会猜到你妈妈的娘家姓。
[edit]
Also, I do think it's a ok to roll your own, as long as you vet it like crazy. Throw some other people at it and see how it holds up. I totally understand the inflexibility of the ASP.NET control options; their controls will probably be more secure (although, you should never blindly trust anything, especially something that you don't know what's going on behind the magical black box), but sometimes you just have to roll your own when it's not flexible enough.
此外,我认为只要你像疯了一样审查它就可以推出自己的产品。扔掉其他人,看看它是如何保持的。我完全理解ASP.NET控件选项的不灵活性;他们的控制可能会更安全(尽管,你永远不应该盲目相信任何东西,尤其是那些你不知道魔法黑盒背后会发生什么的东西),但有时你只需要在它不够灵活的时候自己动手。
#1
What aspect of either ASP.NET Forms Authentication or using the Membership Provider bits didn't fit with your needs? I've found both to be very flexible in many different scenarios?
ASP.NET Forms身份验证或使用Membership Provider位的哪些方面不符合您的需求?我发现在很多不同的场景中都非常灵活?
Rolling your own is usually going to make life hard in the future, especially when you need to start making changes. Also your use of a master page to verify a users logon state etc might be fine for now, but when you require more master pages you then start needing to replicate the same blob of code in every masterpage and keep it all consistent. That can then become a maintenance nightmare somewhere down the road.
滚动你自己通常会在未来使生活变得艰难,特别是当你需要开始做出改变时。此外,您使用母版页来验证用户登录状态等现在可能没问题,但是当您需要更多母版页时,您就开始需要在每个母版页中复制相同的代码块并使其保持一致。这可能会成为未来某个地方的维护噩梦。
If you're not using the ready baked authentication tools in the framework you should be plumbing this kind of thing in somewhere else, such in an HttpModule.
如果您没有在框架中使用现成的烘焙认证工具,那么您应该在其他地方管理这种事情,例如在HttpModule中。
I think you should revisit what you're doing. Take a look at implementing your own custom IIdentity objects if you need to hang user specific data/objects off of a user object. Then assign to a custom IPrincipal you can attach to Context.User in ASP.NET.
我想你应该重温你正在做的事情。如果需要从用户对象挂起用户特定的数据/对象,请查看实现自己的自定义IIdentity对象。然后分配给自定义IPrincipal,您可以将其附加到ASP.NET中的Context.User。
@asp316 and @Jack (comment) I would advise grabbing these two books:
@ asp316和@Jack(评论)我建议抓住这两本书:
Developing More-Secure Microsoft® ASP.NET 2.0 Applications by Dominick Baier
由Dominick Baier开发更安全的Microsoft®ASP.NET2.0应用程序
Professional ASP.NET 2.0 Security, Membership, and Role Management by Stefan Schackow
Stefan Schackow的专业ASP.NET 2.0安全性,成员资格和角色管理
You'll be surprised how flexible the built in security infrastructure in .NET really is. There's a lot more to it than just adding a <authentication mode="Forms"> setting to your web.config and slapping a <asp:login runat="server"/> control on a page.
您会惊讶于.NET内置的安全基础架构的灵活性。除了在web.config中添加
#2
The thing about "rolling your own" is that it's very easy to get it wrong in subtle ways such that it appears to work. You then, of course, deploy this code and move on to other things with no clue that anything is wrong. After all, it passed all your tests.
关于“滚动你自己”的事情是,它很容易以微妙的方式弄错,以至于看起来有效。然后,当然,您可以部署此代码并继续处理其他事情,而不知道出现任何问题。毕竟,它通过了所有测试。
A year later it turns out your site was hacked six months previously, and you never even knew it until just then.
一年之后,事实证明你的网站在六个月前被黑了,直到那时你才知道它。
Much better to find a way to rely on an implementation written by security experts.
更好地找到一种依赖安全专家编写的实现的方法。
#3
I think you're pretty well set; I would also lock a user out for a time after a certain amount of bad login attempts (1 hour after 5 bad tries?) and check for time between requests (the AjaxControlToolkit "nobot" works wonders here, in my experience).
我觉得你很好;在一定程度的错误登录尝试(5次不良尝试后1小时?)之后,我还会将用户锁定一段时间并检查请求之间的时间(根据我的经验,AjaxControlToolkit“nobot”在这里工作奇迹)。
One option, rather than using your Master page for the security code, is to implement an Interface that the pages (or Master page) can inherit from; this way, if you ever do expand to multiple master pages, or if you have pages outside of the master, you can continue to use the same security-checking code.
一个选项,而不是使用您的主页面作为安全代码,是实现页面(或主页面)可以继承的接口;这样,如果您扩展到多个母版页,或者如果您有母版之外的页面,则可以继续使用相同的安全检查代码。
Depending on your requirements, I'd shy away from (required) security questions; I always forget mine. You're already checking for SSN, BDay, Last Name, username, and password; anyone who knows all of this probably can guess your mother's maiden name.
根据您的要求,我会回避(必需的)安全问题;我总是忘记我的。您已经在检查SSN,BDay,姓氏,用户名和密码;知道所有这一切的人可能会猜到你妈妈的娘家姓。
[edit]
Also, I do think it's a ok to roll your own, as long as you vet it like crazy. Throw some other people at it and see how it holds up. I totally understand the inflexibility of the ASP.NET control options; their controls will probably be more secure (although, you should never blindly trust anything, especially something that you don't know what's going on behind the magical black box), but sometimes you just have to roll your own when it's not flexible enough.
此外,我认为只要你像疯了一样审查它就可以推出自己的产品。扔掉其他人,看看它是如何保持的。我完全理解ASP.NET控件选项的不灵活性;他们的控制可能会更安全(尽管,你永远不应该盲目相信任何东西,尤其是那些你不知道魔法黑盒背后会发生什么的东西),但有时你只需要在它不够灵活的时候自己动手。