Is sending the security stamp that ASP.Net Identity creates to the end user in an email a security hole in some fashion? E.g. can a hacker glean anything meaningful from it to attack my application?
将ASP.Net Identity创建的安全标记以某种方式发送给电子邮件中的最终用户安全漏洞?例如。一个黑客可以收集任何有意义的东西来攻击我的应用程序吗?
Details
I've setup an application to send password reset emails to the end user upon request. In addition to the standard link to reset the password I also send another link that tells the user to click it if they did not request a password reset. When this other link is clicked I record details in the database about the incident and in order to prevent double clicks I want to use the security stamp as a check. Immediately after saving this information I reset the security stamp of the user in question.
我已经设置了一个应用程序,可以根据请求向最终用户发送密码重置电子邮件。除了重置密码的标准链接之外,我还发送了另一个链接,告诉用户如果没有请求密码重置,请单击它。当点击这个其他链接时,我在数据库中记录有关事件的详细信息,为了防止双击,我想使用安全标记作为检查。保存此信息后,我立即重置相关用户的安全标记。
1 个解决方案
#1
0
It depends on how you have implemented your security stamp.
这取决于您如何实施安全标记。
Default Identity just generates a GUID for a stamp. In this case it's no less secure than exposing a user's ID. As a related issue you want to make sure nobody can externally manipulate the stamp.
默认标识只为标记生成GUID。在这种情况下,它与暴露用户ID的安全性相当。作为一个相关问题,您要确保没有人可以在外部操纵图章。
If your stamp is calculated and it uses part of the user's identity (such as email, roles, name) you want to make sure that it's hashed.
如果您的印章被计算并且它使用了用户身份的一部分(例如电子邮件,角色,名称),那么您需要确保它是经过哈希处理的。
#1
0
It depends on how you have implemented your security stamp.
这取决于您如何实施安全标记。
Default Identity just generates a GUID for a stamp. In this case it's no less secure than exposing a user's ID. As a related issue you want to make sure nobody can externally manipulate the stamp.
默认标识只为标记生成GUID。在这种情况下,它与暴露用户ID的安全性相当。作为一个相关问题,您要确保没有人可以在外部操纵图章。
If your stamp is calculated and it uses part of the user's identity (such as email, roles, name) you want to make sure that it's hashed.
如果您的印章被计算并且它使用了用户身份的一部分(例如电子邮件,角色,名称),那么您需要确保它是经过哈希处理的。