我应该为公共站点扩展ASP.NET安全性吗?

时间:2021-06-04 03:13:44

I have a ASP.NET MVC site with a private site administration application secured with ASP.NET sql-backed authorization. I need to add a login for the public site to allow visitors to sign up for an account.

我有一个ASP.NET MVC站点,其中一个私有站点管理应用程序使用ASP.NET sql支持的授权进行保护。我需要为公共网站添加登录信息,以允许访问者注册帐户。

I am thinking I should create totally seperate storage for the public site, rather than extend the existing user db and rely on roles to keep public users out of the back office. Is there any reason not to do this?

我认为我应该为公共站点创建完全独立的存储,而不是扩展现有的用户数据库并依靠角色来阻止公共用户离开后台。有什么理由不这样做吗?

3 个解决方案

#1


1  

Yes there is. You can isolate the private database from the public database. Create 2 database user accounts, make sure they only have access to the 1 database they need. The public and private apps will use different accounts. Then lock down the database accounts to make sure they only have the rights needed for the web app to function. (I'm not sure what database you are using. if you are using ms-sql make sure they don't have access to xp_cmdshell, if you are under mysql make sure the account doesn't have FILE privileges. There are other considerations but this is outside the scope of this question.)

就在这里。您可以将私有数据库与公共数据库隔离。创建2个数据库用户帐户,确保他们只能访问他们需要的1个数据库。公共和私人应用将使用不同的帐户。然后锁定数据库帐户以确保它们仅具有Web应用程序运行所需的权限。 (我不确定你使用的数据库。如果你使用的是ms-sql,请确保他们无权访问xp_cmdshell,如果你在mysql下,请确保该帐户没有FILE权限。还有其他注意事项但这超出了这个问题的范围。)

If a SQL Injection vulnerability is found in the public part of your site then they will be able to access that one database leaving your private site unaffected by the attack.

如果在站点的公共部分中发现SQL注入漏洞,则他们将能够访问该数据库,从而使您的私有站点不受攻击影响。

#2


0  

Time and potentially money would be one reason. Otherwise, if you have the time. Depending on the need, not knowing exactly the issues at hand, it could also add a lot of complexity...

时间和潜在的资金将是一个原因。否则,如果你有时间。根据需要,不确切知道手头的问题,它也可能增加很多复杂性......

HTH.

HTH。

#3


0  

Will you ever have a user with more than one role? Could you end up storing the same user in more than one database? If so, I would keep your users in a unified DB.

你有没有一个角色的用户?你最终可以将同一个用户存储在多个数据库中吗?如果是这样,我会将您的用户保留在统一的数据库中。

#1


1  

Yes there is. You can isolate the private database from the public database. Create 2 database user accounts, make sure they only have access to the 1 database they need. The public and private apps will use different accounts. Then lock down the database accounts to make sure they only have the rights needed for the web app to function. (I'm not sure what database you are using. if you are using ms-sql make sure they don't have access to xp_cmdshell, if you are under mysql make sure the account doesn't have FILE privileges. There are other considerations but this is outside the scope of this question.)

就在这里。您可以将私有数据库与公共数据库隔离。创建2个数据库用户帐户,确保他们只能访问他们需要的1个数据库。公共和私人应用将使用不同的帐户。然后锁定数据库帐户以确保它们仅具有Web应用程序运行所需的权限。 (我不确定你使用的数据库。如果你使用的是ms-sql,请确保他们无权访问xp_cmdshell,如果你在mysql下,请确保该帐户没有FILE权限。还有其他注意事项但这超出了这个问题的范围。)

If a SQL Injection vulnerability is found in the public part of your site then they will be able to access that one database leaving your private site unaffected by the attack.

如果在站点的公共部分中发现SQL注入漏洞,则他们将能够访问该数据库,从而使您的私有站点不受攻击影响。

#2


0  

Time and potentially money would be one reason. Otherwise, if you have the time. Depending on the need, not knowing exactly the issues at hand, it could also add a lot of complexity...

时间和潜在的资金将是一个原因。否则,如果你有时间。根据需要,不确切知道手头的问题,它也可能增加很多复杂性......

HTH.

HTH。

#3


0  

Will you ever have a user with more than one role? Could you end up storing the same user in more than one database? If so, I would keep your users in a unified DB.

你有没有一个角色的用户?你最终可以将同一个用户存储在多个数据库中吗?如果是这样,我会将您的用户保留在统一的数据库中。