So basically i'm wondering how safe is my way of using Session variables.
我想知道我使用会话变量的方式有多安全。
I have a login form where user types his username/password, it gets parametrized then queried, if username/password exists, then a userID is returned from db table. This is unique for every user.
我有一个登录表单,用户输入他的用户名/密码,它被参数化然后查询,如果用户名/密码存在,那么从db表返回一个用户id。这对每个用户都是唯一的。
when i have this value, this is where i'm wondering whether this way is safe way of storing the userID inside the session variable uID? anyhow this is how i do it,
当我有这个值的时候,我想知道这种方法在会话变量uID中存储userID是否安全?总之,我就是这么做的,
Session["uID"] = (int)dt.DefaultView[0]["userID"];
FormsAuthentication.RedirectFromLoginPage(username.Text, false);
Response.Redirect("userPage.aspx", false);
then the page is redirected to another page where i use the session variable to fetch the users tables from the db.
然后,页面被重定向到另一个页面,在这个页面中,我使用会话变量从db中获取用户表。
Thanks in advance for your feedback
感谢您的反馈。
5 个解决方案
#1
35
Session state is kept entirely server-side, no matter which storage method you use (in-memory, session state server or database).
会话状态保持完全服务器端,无论您使用哪种存储方法(内存、会话状态服务器或数据库)。
So unless your server is hacked, Session variables are safe. And in case your server does get hacked, the hacker would only have access to the data in his own session, unless he finds a way to analyze the IIS process' memory.
因此,除非您的服务器被黑客攻击,否则会话变量是安全的。如果您的服务器被黑客攻击,黑客只能在自己的会话中访问数据,除非他找到分析IIS进程内存的方法。
#2
12
Very safe, .NET session variables are not the same as cookie variables which can be viewed from the client side, Session variables in this instance are only accessible from the C# code.
非常安全,. net会话变量与从客户端可以查看的cookie变量不一样,在此实例中的会话变量只能从c#代码访问。
So you can be safe in the knowledge that the Session variable can't be edited by anyone/thing other than the code running the background.
因此,您可以放心地知道,除了运行后台的代码之外,会话变量不能由任何人/物编辑。
Not fully related to your question, but might be good to know in your case:
与你的问题不完全相关,但在你的情况下最好知道:
You can also store a whole object in the Session, so you could store a user object in session such as
您还可以在会话中存储整个对象,因此可以在会话中存储用户对象,例如
user_Class user = new user_Class();
user.UID = 1;
Session["User"] = user;
Then you load it back in on load of each page.
然后将它加载到每个页面的加载中。
user_Class user = (user_Class)Session["User"];
Then you could get user.UID from session each time.
然后你可以得到用户。每次从会话开始。
#3
2
All good until your website outgrows a single server. Then you have to migrate your session provider to a state server or back it off with sql server which ends up being a little sucky.
一切都很好,直到你的网站超过一个服务器。然后,您必须将会话提供程序迁移到状态服务器,或者使用sql server进行备份,这最终会有点麻烦。
See http://msdn.microsoft.com/en-us/library/ms178201%28v=vs.80%29.aspx for a comprehensive list of issues around session security.
有关会话安全性的全面问题列表,请参见http://msdn.microsoft.com/en- us/library/ms1788.28% v=vs.80%29.aspx。
#4
2
When it comes to sessions you can very well rest assured that the data is not directly accessible. If for some reason your application ever returns data directly from the session that could potentially be exploited but there's seldom any reason to do this so the risk is fairly minimal.
当涉及到会话时,您可以很好地放心,数据不是直接可访问的。如果由于某种原因,应用程序从会话中直接返回可能被利用的数据,但是很少有理由这样做,因此风险是相当小的。
The riskiest part about sessions comes in the form of session hijacking. See, even though all your data is stored safely on the server we still have that whole "HTTP is stateless" issue to deal with. So some kind of identifier has to be stored on the client so that the server can look up the proper session data. But if somehow another system gets ahold of that ID then they can pretend to be you for as long as the server keeps the session active.
会话中最危险的部分是会话劫持。尽管您的所有数据都安全地存储在服务器上,但我们仍然需要处理整个“HTTP是无状态的”问题。因此,某种标识符必须存储在客户机上,以便服务器能够查找正确的会话数据。但是,如果另一个系统获得了这个ID,那么只要服务器保持会话活动,它们就可以假装自己是您。
Aside from continuously addressing any cross site scripting potential in your website there isn't really much you can do about this without a secure connection. Even then it can be improperly implemented.
除了在你的网站上不断地解决任何跨站点脚本编制的潜力之外,没有一个安全的连接,你也做不了什么。即使这样,它也可能被不恰当地实现。
#5
0
You are still vulnerable even if YOU SERVER IS NOT COMPROMISED session can be easily hijack by using MITM Attack and when an attacker gets your session he can do anything what you can do.
你仍然很脆弱,即使你的服务器没有被破坏,你也可以通过MITM攻击来轻松劫持,当攻击者得到你的会话时,他可以做任何你能做的事情。
You can use techniques to avoid session hijack but remember you are still vulnerable if there is a coding problem or etc which leave your application vulnerable.
您可以使用一些技术来避免会话劫持,但是请记住,如果存在编码问题或其他使应用程序容易受到攻击的问题,您仍然很容易受到攻击。
Using SSL
使用SSL
SSL your site
SSL站点
Generate Hash
生成散列
保护会话
#1
35
Session state is kept entirely server-side, no matter which storage method you use (in-memory, session state server or database).
会话状态保持完全服务器端,无论您使用哪种存储方法(内存、会话状态服务器或数据库)。
So unless your server is hacked, Session variables are safe. And in case your server does get hacked, the hacker would only have access to the data in his own session, unless he finds a way to analyze the IIS process' memory.
因此,除非您的服务器被黑客攻击,否则会话变量是安全的。如果您的服务器被黑客攻击,黑客只能在自己的会话中访问数据,除非他找到分析IIS进程内存的方法。
#2
12
Very safe, .NET session variables are not the same as cookie variables which can be viewed from the client side, Session variables in this instance are only accessible from the C# code.
非常安全,. net会话变量与从客户端可以查看的cookie变量不一样,在此实例中的会话变量只能从c#代码访问。
So you can be safe in the knowledge that the Session variable can't be edited by anyone/thing other than the code running the background.
因此,您可以放心地知道,除了运行后台的代码之外,会话变量不能由任何人/物编辑。
Not fully related to your question, but might be good to know in your case:
与你的问题不完全相关,但在你的情况下最好知道:
You can also store a whole object in the Session, so you could store a user object in session such as
您还可以在会话中存储整个对象,因此可以在会话中存储用户对象,例如
user_Class user = new user_Class();
user.UID = 1;
Session["User"] = user;
Then you load it back in on load of each page.
然后将它加载到每个页面的加载中。
user_Class user = (user_Class)Session["User"];
Then you could get user.UID from session each time.
然后你可以得到用户。每次从会话开始。
#3
2
All good until your website outgrows a single server. Then you have to migrate your session provider to a state server or back it off with sql server which ends up being a little sucky.
一切都很好,直到你的网站超过一个服务器。然后,您必须将会话提供程序迁移到状态服务器,或者使用sql server进行备份,这最终会有点麻烦。
See http://msdn.microsoft.com/en-us/library/ms178201%28v=vs.80%29.aspx for a comprehensive list of issues around session security.
有关会话安全性的全面问题列表,请参见http://msdn.microsoft.com/en- us/library/ms1788.28% v=vs.80%29.aspx。
#4
2
When it comes to sessions you can very well rest assured that the data is not directly accessible. If for some reason your application ever returns data directly from the session that could potentially be exploited but there's seldom any reason to do this so the risk is fairly minimal.
当涉及到会话时,您可以很好地放心,数据不是直接可访问的。如果由于某种原因,应用程序从会话中直接返回可能被利用的数据,但是很少有理由这样做,因此风险是相当小的。
The riskiest part about sessions comes in the form of session hijacking. See, even though all your data is stored safely on the server we still have that whole "HTTP is stateless" issue to deal with. So some kind of identifier has to be stored on the client so that the server can look up the proper session data. But if somehow another system gets ahold of that ID then they can pretend to be you for as long as the server keeps the session active.
会话中最危险的部分是会话劫持。尽管您的所有数据都安全地存储在服务器上,但我们仍然需要处理整个“HTTP是无状态的”问题。因此,某种标识符必须存储在客户机上,以便服务器能够查找正确的会话数据。但是,如果另一个系统获得了这个ID,那么只要服务器保持会话活动,它们就可以假装自己是您。
Aside from continuously addressing any cross site scripting potential in your website there isn't really much you can do about this without a secure connection. Even then it can be improperly implemented.
除了在你的网站上不断地解决任何跨站点脚本编制的潜力之外,没有一个安全的连接,你也做不了什么。即使这样,它也可能被不恰当地实现。
#5
0
You are still vulnerable even if YOU SERVER IS NOT COMPROMISED session can be easily hijack by using MITM Attack and when an attacker gets your session he can do anything what you can do.
你仍然很脆弱,即使你的服务器没有被破坏,你也可以通过MITM攻击来轻松劫持,当攻击者得到你的会话时,他可以做任何你能做的事情。
You can use techniques to avoid session hijack but remember you are still vulnerable if there is a coding problem or etc which leave your application vulnerable.
您可以使用一些技术来避免会话劫持,但是请记住,如果存在编码问题或其他使应用程序容易受到攻击的问题,您仍然很容易受到攻击。
Using SSL
使用SSL
SSL your site
SSL站点
Generate Hash
生成散列
保护会话