I'm trying to store an xml serialized object in a cookie, but i get an error like this:
我正在尝试将一个xml序列化对象存储在cookie中,但是我收到如下错误:
A potentially dangerous Request.Cookies value was detected from the client (KundeContextCookie="<?xml version="1.0" ...")
I know the problem from similiar cases when you try to store something that looks like javascript code in a form input field.
当您尝试在表单输入字段中存储看起来像javascript代码的内容时,我从类似的情况中了解问题。
What is the best practise here? Is there a way (like the form problem i described) to supress this warning from the asp.net framework, or should i JSON serialize instead or perhaps should i binary serialize it? What is common practise when storing serialized data in a cookie?
这里的最佳做法是什么?是否有一种方法(比如我描述的形式问题)从asp.net框架中抑制此警告,或者我应该使用JSON序列化还是应该二进制序列化它?将序列化数据存储在cookie中时的常见做法是什么?
EDIT: Thanks for the feedback. The reason i want to store more data in the cookie than the ID is because the object i really need takes about 2 seconds to retreive from a service i have no control over. I made a lightweight object 'KundeContext' to hold a few of the properties from the full object, but these are used 90% of the time. This way i only have to call the slow service on 10% of my pages. If i only stored the Id i would still have to call the service on almost all my pages.
编辑:感谢您的反馈。我想在cookie中存储比ID更多的数据的原因是因为我真正需要的对象需要大约2秒才能从我无法控制的服务中进行检索。我创建了一个轻量级对象'KundeContext'来保存完整对象中的一些属性,但这些属性在90%的时间都被使用。这样我只需要在10%的页面上调用慢速服务。如果我只存储了Id,我仍然需要在几乎所有页面上调用该服务。
I could store all the strings and ints seperately but the object has other lightweight objects like 'contactinformation' and 'address' that would be tedious to manually store for each of their properties.
我可以单独存储所有字符串和整数,但对象有其他轻量级对象,如“contactinformation”和“address”,为每个属性手动存储会很繁琐。
4 个解决方案
#1
1
I wouldn't store data in XML in the cookie - there is a limit on cookie size for starters (used to be 4K for all headers including the cookie). Pick a less verbose encoding strategy such as delimiters instead e.g. a|b|c or separate cookie values. Delimited encoding makes it especially easy and fast to decode the values.
我不会在cookie中将数据存储在XML中 - 对于初学者来说,cookie大小有限制(对于包括cookie在内的所有头文件,它都是4K)。选择较不详细的编码策略,例如分隔符,例如a | b | c或单独的cookie值。分隔编码使得解码值变得特别容易和快速。
The error you see is ASP.NET complaining that the headers look like an XSS attack.
您看到的错误是ASP.NET抱怨标题看起来像是XSS攻击。
#2
5
Storing serialized data in a cookie is a very, very bad idea. Since users have complete control over cookie data, it's just too easy for them to use this mechanism to feed you malicious data. In other words: any weakness in your deserialization code becomes instantly exploitable (or at least a way to crash something).
将序列化数据存储在cookie中是一个非常非常糟糕的主意。由于用户可以完全控制cookie数据,因此他们很容易使用此机制来提供恶意数据。换句话说:反序列化代码中的任何弱点都会立即被利用(或者至少是崩溃的方式)。
Instead, only keep the simplest identifier possible in your cookies, of a type of which the format can easily be validated (for example, a GUID). Then, store your serialized data server-side (in a database, XML file on the filesystem, or whatever) and retrieve it using that identifier.
相反,只能在cookie中保留最简单的标识符,其格式可以轻松验证(例如,GUID)。然后,存储序列化数据服务器端(在数据库中,文件系统上的XML文件或其他)并使用该标识符检索它。
Edit: also, in this scenario, make sure that your identifier is random enough to make it infeasible for users to guess each other's identifiers, and impersonate each other by simply changing their own identifier a bit. Again, GUIDs (or ASP.NET session identifiers) work very well for this purpose.
编辑:此外,在这种情况下,请确保您的标识符足够随机,使用户无法猜测彼此的标识符,并通过简单地更改自己的标识符来模仿彼此。同样,GUID(或ASP.NET会话标识符)可以很好地用于此目的。
Second edit after scenario clarification by question owner: why use your own cookies at all in this case? If you keep a reference to either the original object or your lightweight object in the session state (Session object), ASP.NET will take care of all implementation details for you in a pretty efficient way.
问题所有者在方案澄清后进行第二次编辑:在这种情况下,为什么要使用自己的cookie?如果在会话状态(Session对象)中保留对原始对象或轻量级对象的引用,ASP.NET将以非常有效的方式为您处理所有实现细节。
#3
1
Look into the View State. Perhaps you'd like to persist the data across post-backs in the ViewState instead of using cookies. Otherwise, you should probably store the XML on the server and a unique identifier to that data in the cookie, instead.
查看视图状态。也许您希望将数据保存在ViewState中的回发中,而不是使用cookie。否则,您应该将XML存储在服务器上,并在cookie中存储该数据的唯一标识符。
#4
0
You might look into using Session State to store the value. You can configure it to use a cookie to store the session id. This is also more secure, because the value is neither visible or changeable by the user-side.
您可能会考虑使用会话状态来存储值。您可以将其配置为使用cookie来存储会话ID。这也更安全,因为用户端的值既不可见也不可更改。
Another alternative is to use a distributed caching mechanism to store the value. My current favorite is Memcached.
另一种方法是使用分布式缓存机制来存储值。我目前最喜欢的是Memcached。
#1
1
I wouldn't store data in XML in the cookie - there is a limit on cookie size for starters (used to be 4K for all headers including the cookie). Pick a less verbose encoding strategy such as delimiters instead e.g. a|b|c or separate cookie values. Delimited encoding makes it especially easy and fast to decode the values.
我不会在cookie中将数据存储在XML中 - 对于初学者来说,cookie大小有限制(对于包括cookie在内的所有头文件,它都是4K)。选择较不详细的编码策略,例如分隔符,例如a | b | c或单独的cookie值。分隔编码使得解码值变得特别容易和快速。
The error you see is ASP.NET complaining that the headers look like an XSS attack.
您看到的错误是ASP.NET抱怨标题看起来像是XSS攻击。
#2
5
Storing serialized data in a cookie is a very, very bad idea. Since users have complete control over cookie data, it's just too easy for them to use this mechanism to feed you malicious data. In other words: any weakness in your deserialization code becomes instantly exploitable (or at least a way to crash something).
将序列化数据存储在cookie中是一个非常非常糟糕的主意。由于用户可以完全控制cookie数据,因此他们很容易使用此机制来提供恶意数据。换句话说:反序列化代码中的任何弱点都会立即被利用(或者至少是崩溃的方式)。
Instead, only keep the simplest identifier possible in your cookies, of a type of which the format can easily be validated (for example, a GUID). Then, store your serialized data server-side (in a database, XML file on the filesystem, or whatever) and retrieve it using that identifier.
相反,只能在cookie中保留最简单的标识符,其格式可以轻松验证(例如,GUID)。然后,存储序列化数据服务器端(在数据库中,文件系统上的XML文件或其他)并使用该标识符检索它。
Edit: also, in this scenario, make sure that your identifier is random enough to make it infeasible for users to guess each other's identifiers, and impersonate each other by simply changing their own identifier a bit. Again, GUIDs (or ASP.NET session identifiers) work very well for this purpose.
编辑:此外,在这种情况下,请确保您的标识符足够随机,使用户无法猜测彼此的标识符,并通过简单地更改自己的标识符来模仿彼此。同样,GUID(或ASP.NET会话标识符)可以很好地用于此目的。
Second edit after scenario clarification by question owner: why use your own cookies at all in this case? If you keep a reference to either the original object or your lightweight object in the session state (Session object), ASP.NET will take care of all implementation details for you in a pretty efficient way.
问题所有者在方案澄清后进行第二次编辑:在这种情况下,为什么要使用自己的cookie?如果在会话状态(Session对象)中保留对原始对象或轻量级对象的引用,ASP.NET将以非常有效的方式为您处理所有实现细节。
#3
1
Look into the View State. Perhaps you'd like to persist the data across post-backs in the ViewState instead of using cookies. Otherwise, you should probably store the XML on the server and a unique identifier to that data in the cookie, instead.
查看视图状态。也许您希望将数据保存在ViewState中的回发中,而不是使用cookie。否则,您应该将XML存储在服务器上,并在cookie中存储该数据的唯一标识符。
#4
0
You might look into using Session State to store the value. You can configure it to use a cookie to store the session id. This is also more secure, because the value is neither visible or changeable by the user-side.
您可能会考虑使用会话状态来存储值。您可以将其配置为使用cookie来存储会话ID。这也更安全,因为用户端的值既不可见也不可更改。
Another alternative is to use a distributed caching mechanism to store the value. My current favorite is Memcached.
另一种方法是使用分布式缓存机制来存储值。我目前最喜欢的是Memcached。