会话在更改其 ID 时丢失键和值
Session loses keys and values when changing its ID
我正在更改会话 ID,但是当它重定向到 Default.aspx 页面时,它丢失了我分配给它的所有密钥!
这很奇怪,有什么线索或帮助吗?
即使我在评论这部分:
Session.Clear();
Session.Abandon();
Session.RemoveAll();
if (Request.Cookies["ASP.NET_SessionId"] != null)
{
Response.Cookies["ASP.NET_SessionId"].Value = string.Empty;
Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddMonths(-20);
}
它失去了一切!
这是我的代码:
protected void btnDebugLogin_Click(object sender, EventArgs e)
{
try
{
string email = "test@123.com";
string pw = "password";
string ip = Request.UserHostAddress.ToString();
string browseragent = Request.UserAgent.ToString();
ConsoleUser loginUser = new ConsoleUser();
AbandonSession();//Delete any existing sessions
var newSessionId = CreateSessionId(HttpContext.Current); //Create a new SessionId
SetSessionId(HttpContext.Current, newSessionId);
loginUser = SecureLogin.Login(email, pw, ip, browseragent, referrer, LangCode, Session.SessionID.ToString(), null);
if (loginUser == null)
{
lblMsg.Visible = true;
}
else
{
Session["CurrentUser"] = loginUser;
Session["CurrentLoginID"] = loginUser.CurrentLoginId; // Used for tracking User Activity in KeepSessionAlive
Response.Redirect("/qConsole/Default.aspx",false);
}
}
catch(Exception ex)
{
}
}
protected void AbandonSession()
{
Session.Clear();
Session.Abandon();
Session.RemoveAll();
if (Request.Cookies["ASP.NET_SessionId"] != null)
{
Response.Cookies["ASP.NET_SessionId"].Value = string.Empty;
Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddMonths(-20);
}
if (Request.Cookies["__AntiXsrfToken"] != null)
{
Response.Cookies["__AntiXsrfToken"].Value = string.Empty;
Response.Cookies["__AntiXsrfToken"].Expires = DateTime.Now.AddMonths(-20);
}
}
private static string CreateSessionId(HttpContext httpContext)
{
var manager = new SessionIDManager();
string newSessionId = manager.CreateSessionID(httpContext);
return newSessionId;
}
public static void SetSessionId(HttpContext httpContext, string newSessionId)
{
var manager = new SessionIDManager();
bool redirected;
bool cookieAdded;
manager.SaveSessionID(httpContext, newSessionId, out redirected, out cookieAdded);
}
并且验证部分在加载 Default.apsx 页面之前在母版页中完成,此处:
protected void Page_Init(object sender, EventArgs e)
{
if (Session["CurrentUser"] == null)
{
Response.Redirect("/");
}
// ..
}
这是告诉客户端使用新会话 ID 的预期结果。值仍在旧会话中,但旧会话和新会话之间没有连接。 Session 在请求周期的早期附加到请求,并且在处理期间更改 cookie 值不会影响附加到用户请求的会话,直到下一个请求到来。你想要做的是清除 cookie当您第一次呈现页面时,而不是当他们单击按钮时。我在回答 .
中提到了会话管理的其他一些微妙之处
您已将此问题标记为 csrf,但您的解决方案对该攻击没有任何作用。重置会话 ID 防止的是会话固定。
我正在更改会话 ID,但是当它重定向到 Default.aspx 页面时,它丢失了我分配给它的所有密钥!
这很奇怪,有什么线索或帮助吗?
即使我在评论这部分:
Session.Clear(); Session.Abandon(); Session.RemoveAll(); if (Request.Cookies["ASP.NET_SessionId"] != null) { Response.Cookies["ASP.NET_SessionId"].Value = string.Empty; Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddMonths(-20); }
它失去了一切!
这是我的代码:
protected void btnDebugLogin_Click(object sender, EventArgs e)
{
try
{
string email = "test@123.com";
string pw = "password";
string ip = Request.UserHostAddress.ToString();
string browseragent = Request.UserAgent.ToString();
ConsoleUser loginUser = new ConsoleUser();
AbandonSession();//Delete any existing sessions
var newSessionId = CreateSessionId(HttpContext.Current); //Create a new SessionId
SetSessionId(HttpContext.Current, newSessionId);
loginUser = SecureLogin.Login(email, pw, ip, browseragent, referrer, LangCode, Session.SessionID.ToString(), null);
if (loginUser == null)
{
lblMsg.Visible = true;
}
else
{
Session["CurrentUser"] = loginUser;
Session["CurrentLoginID"] = loginUser.CurrentLoginId; // Used for tracking User Activity in KeepSessionAlive
Response.Redirect("/qConsole/Default.aspx",false);
}
}
catch(Exception ex)
{
}
}
protected void AbandonSession()
{
Session.Clear();
Session.Abandon();
Session.RemoveAll();
if (Request.Cookies["ASP.NET_SessionId"] != null)
{
Response.Cookies["ASP.NET_SessionId"].Value = string.Empty;
Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddMonths(-20);
}
if (Request.Cookies["__AntiXsrfToken"] != null)
{
Response.Cookies["__AntiXsrfToken"].Value = string.Empty;
Response.Cookies["__AntiXsrfToken"].Expires = DateTime.Now.AddMonths(-20);
}
}
private static string CreateSessionId(HttpContext httpContext)
{
var manager = new SessionIDManager();
string newSessionId = manager.CreateSessionID(httpContext);
return newSessionId;
}
public static void SetSessionId(HttpContext httpContext, string newSessionId)
{
var manager = new SessionIDManager();
bool redirected;
bool cookieAdded;
manager.SaveSessionID(httpContext, newSessionId, out redirected, out cookieAdded);
}
并且验证部分在加载 Default.apsx 页面之前在母版页中完成,此处:
protected void Page_Init(object sender, EventArgs e)
{
if (Session["CurrentUser"] == null)
{
Response.Redirect("/");
}
// ..
}
这是告诉客户端使用新会话 ID 的预期结果。值仍在旧会话中,但旧会话和新会话之间没有连接。 Session 在请求周期的早期附加到请求,并且在处理期间更改 cookie 值不会影响附加到用户请求的会话,直到下一个请求到来。你想要做的是清除 cookie当您第一次呈现页面时,而不是当他们单击按钮时。我在回答 .
中提到了会话管理的其他一些微妙之处您已将此问题标记为 csrf,但您的解决方案对该攻击没有任何作用。重置会话 ID 防止的是会话固定。