Can't we just store in the session if the user is logged in or not and get rid of the .ASPXAUTH?
如果用户登录或不登录,我们是否只能存储在会话中并摆脱.ASPXAUTH?
4 个解决方案
#1
22
ASP.Net_SessionId is a cookie which is used to identify the users session on the server. The session being an area on the server which can be used to store data in between http requests.
ASP.Net_SessionId是一个cookie,用于标识服务器上的用户会话。会话是服务器上的一个区域,可用于在http请求之间存储数据。
For example, the controller action may perform:
例如,控制器动作可以执行:
Session["FirstName"] = model.FirstName;
Then, in a subsequent action the first name can be retrieved from the session:
然后,在后续操作中,可以从会话中检索第一个名称:
var firstName = Session["FirstName"];
The ASP.Net_SessionId identifies the session for that users request. A different user will submit a different cookie and thus Session["FirstName"] will hold a different value for that different user.
ASP.Net_SessionId标识该用户请求的会话。不同的用户将提交不同的cookie,因此Session [“FirstName”]将为该不同的用户保留不同的值。
ASPXAUTH is a cookie to identify if the user is authenticated (that is, has their identity been verified). For example, a controller action may determine if the user has provided the correct login credentials and if so issue a authentication cookie using:
ASPXAUTH是一个cookie,用于标识用户是否已通过身份验证(即,是否已验证其身份)。例如,控制器操作可以确定用户是否提供了正确的登录凭据,如果是,则使用以下方式发出身份验证cookie:
FormsAuthentication.SetAuthCookie(username, false);
Then later you can check if the user is authorised to perform an action by using the [Authorize] attribute which checks for the presence of the ASPXAUTH cookie.
然后,您可以使用[Authorize]属性检查用户是否有权执行操作,该属性检查是否存在ASPXAUTH cookie。
So in summary, the cookies are there for 2 different purposes. One to determine the users session state and one to determine if the user is authenticated.
总而言之,cookie有两种不同的用途。一个用于确定用户会话状态,另一个用于确定用户是否已通过身份验证。
To complete the answer to your question, yes, you could get rid of the ASPXAUTH cookie and just use session to identify the user (I have seen this done in older classic asp applications) but I wouldn't recommend it. It is much better to have a cleaner separation of concerns and use the appropriate method where necessary. The session and authentication will have their own time-out values set. By using the session for authentication you will only have the single time-out. I'm not sure though if there are any security implications in just using session for authentication, but still I would keep them separate.
要完成你的问题的答案,是的,你可以摆脱ASPXAUTH cookie并只使用session来识别用户(我已经看到这在旧的经典asp应用程序中完成),但我不推荐它。更清楚地分离关注点并在必要时使用适当的方法。会话和身份验证将设置自己的超时值。通过使用会话进行身份验证,您将只有一次超时。我不确定在使用会话进行身份验证时是否存在任何安全隐患,但我仍然会将它们分开。
#2
4
.NET issues an entirely different cookie, named ASP.NET_SessionId, to track session state.
.NET发布了一个完全不同的cookie,名为ASP.NET_SessionId,用于跟踪会话状态。
The ASPXAUTH cookie is used to determine if a user is authenticated.
ASPXAUTH cookie用于确定用户是否经过身份验证。
So these are 2 different concept i.e. Session State Management and Authentication Management using Form Authentication.
所以这些是两个不同的概念,即使用表单认证的会话状态管理和认证管理。
If you use Session to Authenticate and forget Form Authentication you will get rid of .ASPXAUTH
如果您使用Session进行身份验证并忘记表单身份验证,您将摆脱.ASPXAUTH
#3
1
Both are required , using either resulting in the following vulnerability:
这两者都是必需的,使用导致以下漏洞:
*ASP.NET_SessionId Alone: Session Fixation
* ASP.NET_SessionId单独:会话固定
*Forms Authentication Cookie Alone: Can’t Terminate Authentication Token on the Server
*表单身份验证Cookie单独:无法终止服务器上的身份验证令牌
Also, you need to ensure they coupled together properly.Otherwise, the configuration also pose risk:
此外,您需要确保它们正确耦合在一起。否则,配置也会带来风险:
*Loosely Coupled ASP.NET_SessionID and Forms Authentication Cookies: Still Vulnerable
*松散耦合的ASP.NET_SessionID和表单身份验证Cookie:仍然易受攻击
ref: http://blog.securityps.com/2013/06/session-fixation-forms-authentication.html
参考:http://blog.securityps.com/2013/06/session-fixation-forms-authentication.html
#4
-1
Session state and authentication have nothing to do with each other. You can use one without the other.
会话状态和身份验证彼此无关。你可以使用一个而不用另一个。
#1
22
ASP.Net_SessionId is a cookie which is used to identify the users session on the server. The session being an area on the server which can be used to store data in between http requests.
ASP.Net_SessionId是一个cookie,用于标识服务器上的用户会话。会话是服务器上的一个区域,可用于在http请求之间存储数据。
For example, the controller action may perform:
例如,控制器动作可以执行:
Session["FirstName"] = model.FirstName;
Then, in a subsequent action the first name can be retrieved from the session:
然后,在后续操作中,可以从会话中检索第一个名称:
var firstName = Session["FirstName"];
The ASP.Net_SessionId identifies the session for that users request. A different user will submit a different cookie and thus Session["FirstName"] will hold a different value for that different user.
ASP.Net_SessionId标识该用户请求的会话。不同的用户将提交不同的cookie,因此Session [“FirstName”]将为该不同的用户保留不同的值。
ASPXAUTH is a cookie to identify if the user is authenticated (that is, has their identity been verified). For example, a controller action may determine if the user has provided the correct login credentials and if so issue a authentication cookie using:
ASPXAUTH是一个cookie,用于标识用户是否已通过身份验证(即,是否已验证其身份)。例如,控制器操作可以确定用户是否提供了正确的登录凭据,如果是,则使用以下方式发出身份验证cookie:
FormsAuthentication.SetAuthCookie(username, false);
Then later you can check if the user is authorised to perform an action by using the [Authorize] attribute which checks for the presence of the ASPXAUTH cookie.
然后,您可以使用[Authorize]属性检查用户是否有权执行操作,该属性检查是否存在ASPXAUTH cookie。
So in summary, the cookies are there for 2 different purposes. One to determine the users session state and one to determine if the user is authenticated.
总而言之,cookie有两种不同的用途。一个用于确定用户会话状态,另一个用于确定用户是否已通过身份验证。
To complete the answer to your question, yes, you could get rid of the ASPXAUTH cookie and just use session to identify the user (I have seen this done in older classic asp applications) but I wouldn't recommend it. It is much better to have a cleaner separation of concerns and use the appropriate method where necessary. The session and authentication will have their own time-out values set. By using the session for authentication you will only have the single time-out. I'm not sure though if there are any security implications in just using session for authentication, but still I would keep them separate.
要完成你的问题的答案,是的,你可以摆脱ASPXAUTH cookie并只使用session来识别用户(我已经看到这在旧的经典asp应用程序中完成),但我不推荐它。更清楚地分离关注点并在必要时使用适当的方法。会话和身份验证将设置自己的超时值。通过使用会话进行身份验证,您将只有一次超时。我不确定在使用会话进行身份验证时是否存在任何安全隐患,但我仍然会将它们分开。
#2
4
.NET issues an entirely different cookie, named ASP.NET_SessionId, to track session state.
.NET发布了一个完全不同的cookie,名为ASP.NET_SessionId,用于跟踪会话状态。
The ASPXAUTH cookie is used to determine if a user is authenticated.
ASPXAUTH cookie用于确定用户是否经过身份验证。
So these are 2 different concept i.e. Session State Management and Authentication Management using Form Authentication.
所以这些是两个不同的概念,即使用表单认证的会话状态管理和认证管理。
If you use Session to Authenticate and forget Form Authentication you will get rid of .ASPXAUTH
如果您使用Session进行身份验证并忘记表单身份验证,您将摆脱.ASPXAUTH
#3
1
Both are required , using either resulting in the following vulnerability:
这两者都是必需的,使用导致以下漏洞:
*ASP.NET_SessionId Alone: Session Fixation
* ASP.NET_SessionId单独:会话固定
*Forms Authentication Cookie Alone: Can’t Terminate Authentication Token on the Server
*表单身份验证Cookie单独:无法终止服务器上的身份验证令牌
Also, you need to ensure they coupled together properly.Otherwise, the configuration also pose risk:
此外,您需要确保它们正确耦合在一起。否则,配置也会带来风险:
*Loosely Coupled ASP.NET_SessionID and Forms Authentication Cookies: Still Vulnerable
*松散耦合的ASP.NET_SessionID和表单身份验证Cookie:仍然易受攻击
ref: http://blog.securityps.com/2013/06/session-fixation-forms-authentication.html
参考:http://blog.securityps.com/2013/06/session-fixation-forms-authentication.html
#4
-1
Session state and authentication have nothing to do with each other. You can use one without the other.
会话状态和身份验证彼此无关。你可以使用一个而不用另一个。