asp.net 核心身份cookie重放攻击
asp.net core identity cookie replay attack
我正在尝试阻止对使用默认身份的 asp.net 核心应用程序的有效身份验证 cookie 重放攻击。
我尝试了一些方法,但似乎没有任何效果。用户从会话注销后,我可以看到我仍然可以使用旧 cookie 再次重播经过身份验证的请求。
有什么办法可以避免这种情况吗?
谢谢
ASP.NET 核心是 而不是 跟踪会话 server-side。所有会话信息都包含在 cookie 本身中(参见 this issue)。
如果你想防止重放攻击,你需要自己跟踪会话。一个方便的方法是实现一个 ITicketStore(参见 SessionStore)。提示:如果您不希望您的用户经历注销,请确保您的商店在 IIS 重启后仍然存在。
在这样做之前,您当然需要评估 replay-attack 是否对您的设置构成真正的威胁。引用 this article:
If you make sure your site is only ever served over HTTPS, and your cookies are set as "secure", "same site", and "HTTP only", then an attacker will not be able to obtain the cookie value unless they have managed to perform a man-in-the-middle (MitM) attack. And if they've done that, you've got much bigger problems.
并且:
Another concern would be if their computer or browser is compromised by malicious code. But again, if that happens, they've got bigger problems to worry about.
我正在尝试阻止对使用默认身份的 asp.net 核心应用程序的有效身份验证 cookie 重放攻击。
我尝试了一些方法,但似乎没有任何效果。用户从会话注销后,我可以看到我仍然可以使用旧 cookie 再次重播经过身份验证的请求。
有什么办法可以避免这种情况吗?
谢谢
ASP.NET 核心是 而不是 跟踪会话 server-side。所有会话信息都包含在 cookie 本身中(参见 this issue)。
如果你想防止重放攻击,你需要自己跟踪会话。一个方便的方法是实现一个 ITicketStore(参见 SessionStore)。提示:如果您不希望您的用户经历注销,请确保您的商店在 IIS 重启后仍然存在。
在这样做之前,您当然需要评估 replay-attack 是否对您的设置构成真正的威胁。引用 this article:
If you make sure your site is only ever served over HTTPS, and your cookies are set as "secure", "same site", and "HTTP only", then an attacker will not be able to obtain the cookie value unless they have managed to perform a man-in-the-middle (MitM) attack. And if they've done that, you've got much bigger problems.
并且:
Another concern would be if their computer or browser is compromised by malicious code. But again, if that happens, they've got bigger problems to worry about.