What is the ASP.NET Membership framework's reputation as far as security goes? Are there any typical default configuration settings that are problematic? What best practices are there? Are there any built-in methods to combat things like session hijacking?
就安全性而言,ASP.NET Membership框架的声誉是什么?是否存在任何典型的默认配置设置?那里有什么最佳实践?是否有任何内置方法可以解决会话劫持等问题?
3 个解决方案
#1
5
In regard to best practices, there is a short WIKI called ASP.NET 2.0 Security Inspection Questions that lists security considerations when using a membership provider. It may be of some use?
关于最佳实践,有一个简短的WIKI称为ASP.NET 2.0安全检查问题,它列出了使用成员资格提供程序时的安全注意事项。它可能有用吗?
#2
2
Omar AL Zabir blogged on some updates he made to the stored procedures that were needed for a high user site implementation. His suggestion is basically to use either
Omar AL Zabir在博客上发表了他对高用户站点实现所需的存储过程所做的一些更新。他的建议基本上都是使用
WITH (NOLOCK)
or
要么
SET TRANSACTION ISOLATION LEVEL READ UNCOMMITTED
before the SELECT queries in the membership stored procedures.
在成员资格存储过程中的SELECT查询之前。
Optimize asp net membership stored procedures for greater speed and scalability
优化asp net成员资格存储过程以获得更高的速度和可伸缩性
#3
1
I'm not sure if this is a problem for the ASP.NET Membership bits per se, but don't forget to ensure that there is a secret generated on the server and authenticated on POST so you can be sure that the form post came from your app.
我不确定这是否是ASP.NET Membership位本身的问题,但不要忘记确保在服务器上生成了一个秘密并在POST上进行了身份验证,这样您就可以确定表单帖子来了从你的应用程序。
There may be other (better) ways to do this, I'm just sharing what I know
可能还有其他(更好)的方法,我只是分享我所知道的
#1
5
In regard to best practices, there is a short WIKI called ASP.NET 2.0 Security Inspection Questions that lists security considerations when using a membership provider. It may be of some use?
关于最佳实践,有一个简短的WIKI称为ASP.NET 2.0安全检查问题,它列出了使用成员资格提供程序时的安全注意事项。它可能有用吗?
#2
2
Omar AL Zabir blogged on some updates he made to the stored procedures that were needed for a high user site implementation. His suggestion is basically to use either
Omar AL Zabir在博客上发表了他对高用户站点实现所需的存储过程所做的一些更新。他的建议基本上都是使用
WITH (NOLOCK)
or
要么
SET TRANSACTION ISOLATION LEVEL READ UNCOMMITTED
before the SELECT queries in the membership stored procedures.
在成员资格存储过程中的SELECT查询之前。
Optimize asp net membership stored procedures for greater speed and scalability
优化asp net成员资格存储过程以获得更高的速度和可伸缩性
#3
1
I'm not sure if this is a problem for the ASP.NET Membership bits per se, but don't forget to ensure that there is a secret generated on the server and authenticated on POST so you can be sure that the form post came from your app.
我不确定这是否是ASP.NET Membership位本身的问题,但不要忘记确保在服务器上生成了一个秘密并在POST上进行了身份验证,这样您就可以确定表单帖子来了从你的应用程序。
There may be other (better) ways to do this, I'm just sharing what I know
可能还有其他(更好)的方法,我只是分享我所知道的