提问人:Hadi Mohammadi 提问时间:2/20/2018 更新时间:2/20/2018 访问量:653
检索随机生成的会话 ID coockie 名称 asp.net
Retrive randomly generated session id coockie name asp.net
问:
我想用一些随机生成的字符串更改 asp.net cookie 名称,并对其值进行哈希处理。我都做过,但问题是我不知道如何获取“ASP.NET_SessionId并检查哈希值是否有效。目的是防止会话劫持。ASP.NET_SessionId
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<Identity.ApplicationUserManager, DatabaseHelper.DatabaseModels.User>(
validateInterval: TimeSpan.FromMinutes(15),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
},
CookieName = Utility.Globals.GenrateRandomString(10),
});
这就是我改变“ASP.NET_SessionId”的方式。我还使用以下代码检查哈希值
protected void Application_BeginRequest(object sender, EventArgs e)
{
//Check If it is a new session or not , if not then do the further checks
if (Request.Cookies["ASP.NET_SessionId"] != null && Request.Cookies["ASP.NET_SessionId"].Value != null)
{
string newSessionID = Request.Cookies["ASP.NET_SessionID"].Value;
//Check the valid length of your Generated Session ID
if (newSessionID.Length <= 24)
{
//Log the attack details here
Response.Cookies["TriedTohack"].Value = "True";
throw new HttpException("Invalid Request");
}
//Genrate Hash key for this User,Browser and machine and match with the Entered NewSessionID
if (GenerateHashKey() != newSessionID.Substring(24))
{
//Log the attack details here
Response.Cookies["TriedTohack"].Value = "True";
throw new HttpException("Invalid Request");
}
//Use the default one so application will work as usual//ASP.NET_SessionId
Request.Cookies["ASP.NET_SessionId"].Value = Request.Cookies["ASP.NET_SessionId"].Value.Substring(0, 24);
}
}
答: 暂无答案
评论