We have a web application that is publicly accessible. When a user is logged in he fills his personal details.
我们有一个可公开访问的Web应用程序。当用户登录时,他填写了他的个人详细信息。
The Problem The user may forget to close the browser in a kiosk or a shared environment, potentially allowing some other user to see his personal information.
问题用户可能忘记在自助服务终端或共享环境中关闭浏览器,可能允许其他用户查看他的个人信息。
We are using a session timeout of 5 min,
我们使用的会话超时为5分钟,
My Thoughts Is it better to build a separate app for Kiosks environment where i can ask the users Is this a shared computer or public. If yes how would i Implement it further?
我的想法为Kiosks环境构建一个单独的应用程序更好,我可以询问用户这是一个共享计算机还是公共计算机。如果是,我将如何进一步实施?
For every 3 minutes of inactivity we want to prompt the user: "Do you want to continue?" If yes, get confirmation for password, just to make it more secure.
对于每3分钟不活动,我们想提示用户:“你想继续吗?”如果是,请获取密码确认,以使其更安全。
I have seen the below link Security considerations for an ASP.Net web application that will be used on a public computer or kiosk
我已经看到了将在公共计算机或信息亭上使用的ASP.Net Web应用程序的以下链接安全注意事项
Could you please share more thoughts on this issue: how to make it more secure.
你能不能就这个问题分享更多的想法:如何让它更安全。
1 个解决方案
#1
1
You will have to use JavaScript of some sort. The server does not have the ability to update the client Web page without some sort of client side scripting (obviously JavaScript) to handle a request. I have done something similar, asking a user if they want to keep their session alive through showing a Pop-Up message. But in your case it seems like you should create a DNN page for re-login and add a custom module or HTML block with a simple JavaScript in it to every page you want to check logins (or put it in your template header or footer) which redirects the user to a re-login screen. Something like:
您将不得不使用某种JavaScript。如果没有某种客户端脚本(显然是JavaScript)来处理请求,服务器就无法更新客户端Web页面。我做了类似的事情,询问用户是否希望通过显示弹出消息来保持会话活动。但在您的情况下,似乎您应该创建一个DNN页面以便重新登录,并在其中添加一个带有简单JavaScript的自定义模块或HTML块到您要检查登录的每个页面(或将其放在模板页眉或页脚中)它将用户重定向到重新登录屏幕。就像是:
function setHeartbeat() {
setTimeout("heartbeat()", 300000); // every 5 min
}
function heartbeat() {
window.location.href = "Relogin.aspx?LastPage=" + window.location.href;
}
then Relogin.aspx will have a message at the top that the user has been idle for 3 minutes, and provide the password box. After the user logs in you can redirect them back to LastPage (it's been a hwile since I've used DNN, but I think there is a way to format the URL so it automatically redirects).
然后Relogin.aspx将在顶部有一条消息,表示用户已空闲3分钟,并提供密码框。在用户登录后,您可以将它们重定向回LastPage(自从我使用DNN以来,它一直是个hwile,但我认为有一种方法可以格式化URL以便自动重定向)。
A more user friendly option would be to show a Pop-Up after the 3 minutes, showing a message and password field with an OK button. Again, this can be done with jQuery, where you have something like:
更加用户友好的选项是在3分钟后显示弹出窗口,显示带有OK按钮的消息和密码字段。同样,这可以通过jQuery来完成,你可以在这里使用:
<div id="confirmSession" style="display: none">
<p class="message" style="display: none;"></p>
<p>You have been idle for 3 minutes, if you want to continue your session please re-enter your password.</p>
<p>Password: <input type="password" id="password" /></p>
<input type="button" id="btnContinueSession" />
<input type="hidden" id="userName" value='<%# HttpContext.Current.User.Principal.Identity %>' />
</div>
and the following JavaScript:
和以下JavaScript:
function setHeartbeat() {
setTimeout("heartbeat()", 300000); // every 5 min
}
function heartbeat() {
$("#confirmSession").show();
}
$("#btnContinueSession").click(function () {
$.ajax({
type: "post",
url: "/relogin.aspx",
error: function(returnval) {
// Login failed for some reason, typically page not available 404 error, or code threw an error. so have the user try again.
$(".message").text(returnval + " failure");
$(".message").show();
},
success: function (returnval) {
$("#confirmSession").hide();
setHeartbeat();
}
});
});
Here you'll have to create a relogin.aspx page or some other service which will take in the username and password, re-validate the user, then either throw an error if the password was invalid (caught in the jQuery above and shown to the user). This is obviously a bit more work, and will need custom coding for the validation, versus simply redirecting to a login screen, but it much more user friendly.
在这里你必须创建一个relogin.aspx页面或一些其他服务,它将接受用户名和密码,重新验证用户,然后如果密码无效则抛出错误(在上面的jQuery中捕获并显示为用户)。这显然需要更多的工作,并且需要自定义编码进行验证,而不是简单地重定向到登录屏幕,但它更加用户友好。
In this Ajax approach, it's worth noting that your server session timeout may have to be longer than 3 minutes. If it's three minutes or less, and the user enters their password, they will already be logged out of the server, and you'll get an invalid authentication error. So overall redirecting to the login page may make the most sense. But you'll want to make sure that if a user has entered data that you save it in a cookie or somehow, so you can re-fill it (I've heard hundreds of times of people being frustrated that their data was "lost").
在这种Ajax方法中,值得注意的是服务器会话超时可能必须超过3分钟。如果是三分钟或更短时间,并且用户输入了密码,则他们已经从服务器注销,并且您将收到无效的身份验证错误。因此,整体重定向到登录页面可能是最有意义的。但是你要确保如果用户输入了你将它保存在cookie中的数据或者某种方式,那么你可以重新填充它(我听说有数百次的人因为他们的数据“丢失而感到沮丧” “)。
Examples I've taken from are:
我从中得到的例子是:
- Keeping Session alive with jQuery
- 用jQuery保持Session活着
- * Ajax Post success error
- * Ajax发布成功错误
- * keeping session open/alive
- *保持会话打开/活动
#1
1
You will have to use JavaScript of some sort. The server does not have the ability to update the client Web page without some sort of client side scripting (obviously JavaScript) to handle a request. I have done something similar, asking a user if they want to keep their session alive through showing a Pop-Up message. But in your case it seems like you should create a DNN page for re-login and add a custom module or HTML block with a simple JavaScript in it to every page you want to check logins (or put it in your template header or footer) which redirects the user to a re-login screen. Something like:
您将不得不使用某种JavaScript。如果没有某种客户端脚本(显然是JavaScript)来处理请求,服务器就无法更新客户端Web页面。我做了类似的事情,询问用户是否希望通过显示弹出消息来保持会话活动。但在您的情况下,似乎您应该创建一个DNN页面以便重新登录,并在其中添加一个带有简单JavaScript的自定义模块或HTML块到您要检查登录的每个页面(或将其放在模板页眉或页脚中)它将用户重定向到重新登录屏幕。就像是:
function setHeartbeat() {
setTimeout("heartbeat()", 300000); // every 5 min
}
function heartbeat() {
window.location.href = "Relogin.aspx?LastPage=" + window.location.href;
}
then Relogin.aspx will have a message at the top that the user has been idle for 3 minutes, and provide the password box. After the user logs in you can redirect them back to LastPage (it's been a hwile since I've used DNN, but I think there is a way to format the URL so it automatically redirects).
然后Relogin.aspx将在顶部有一条消息,表示用户已空闲3分钟,并提供密码框。在用户登录后,您可以将它们重定向回LastPage(自从我使用DNN以来,它一直是个hwile,但我认为有一种方法可以格式化URL以便自动重定向)。
A more user friendly option would be to show a Pop-Up after the 3 minutes, showing a message and password field with an OK button. Again, this can be done with jQuery, where you have something like:
更加用户友好的选项是在3分钟后显示弹出窗口,显示带有OK按钮的消息和密码字段。同样,这可以通过jQuery来完成,你可以在这里使用:
<div id="confirmSession" style="display: none">
<p class="message" style="display: none;"></p>
<p>You have been idle for 3 minutes, if you want to continue your session please re-enter your password.</p>
<p>Password: <input type="password" id="password" /></p>
<input type="button" id="btnContinueSession" />
<input type="hidden" id="userName" value='<%# HttpContext.Current.User.Principal.Identity %>' />
</div>
and the following JavaScript:
和以下JavaScript:
function setHeartbeat() {
setTimeout("heartbeat()", 300000); // every 5 min
}
function heartbeat() {
$("#confirmSession").show();
}
$("#btnContinueSession").click(function () {
$.ajax({
type: "post",
url: "/relogin.aspx",
error: function(returnval) {
// Login failed for some reason, typically page not available 404 error, or code threw an error. so have the user try again.
$(".message").text(returnval + " failure");
$(".message").show();
},
success: function (returnval) {
$("#confirmSession").hide();
setHeartbeat();
}
});
});
Here you'll have to create a relogin.aspx page or some other service which will take in the username and password, re-validate the user, then either throw an error if the password was invalid (caught in the jQuery above and shown to the user). This is obviously a bit more work, and will need custom coding for the validation, versus simply redirecting to a login screen, but it much more user friendly.
在这里你必须创建一个relogin.aspx页面或一些其他服务,它将接受用户名和密码,重新验证用户,然后如果密码无效则抛出错误(在上面的jQuery中捕获并显示为用户)。这显然需要更多的工作,并且需要自定义编码进行验证,而不是简单地重定向到登录屏幕,但它更加用户友好。
In this Ajax approach, it's worth noting that your server session timeout may have to be longer than 3 minutes. If it's three minutes or less, and the user enters their password, they will already be logged out of the server, and you'll get an invalid authentication error. So overall redirecting to the login page may make the most sense. But you'll want to make sure that if a user has entered data that you save it in a cookie or somehow, so you can re-fill it (I've heard hundreds of times of people being frustrated that their data was "lost").
在这种Ajax方法中,值得注意的是服务器会话超时可能必须超过3分钟。如果是三分钟或更短时间,并且用户输入了密码,则他们已经从服务器注销,并且您将收到无效的身份验证错误。因此,整体重定向到登录页面可能是最有意义的。但是你要确保如果用户输入了你将它保存在cookie中的数据或者某种方式,那么你可以重新填充它(我听说有数百次的人因为他们的数据“丢失而感到沮丧” “)。
Examples I've taken from are:
我从中得到的例子是:
- Keeping Session alive with jQuery
- 用jQuery保持Session活着
- * Ajax Post success error
- * Ajax发布成功错误
- * keeping session open/alive
- *保持会话打开/活动