zoukankan      html  css  js  c++  java
  • ASP.NET replay attack detection again 解决方案

    ASP.NET replay attack detection again

    Even ASP.NET Authentication says clearly that you have to have a secondary check to confirm if user is still an active logged in user (for example, we could block the user, user may have changed his password), Forms Authentication ticket does not offer any security against these things.

    UserSession has nothing to do with ASP.NET MVC Session, it is just a name here

    The solution I have implemented is,

    1. Create a UserSessions table in the database with UserSessionID (PK, Identity) UserID (FK) DateCreated, DateUpdated
    2. FormsAuthenticationTicket has a field called UserData, you can save UserSessionID in it.

    When User Logs in

    public void DoLogin(){
    
         // do not call this ...
         // FormsAuthentication.SetAuthCookie(....
    
         DateTime dateIssued = DateTime.UtcNow;
    
         var sessionID = db.CreateSession(UserID);
         var ticket = new FormsAuthenticationTicket(
                userName,
                dateIssued,
                dateIssued.Add(FormsAuthentication.Timeout),
                iSpersistent,
                // userData
                sessionID.ToString());
    
         HttpCookie cookie = new HttpCookie(
             FormsAuthentication.CookieName,
             FormsAuthentication.Encrypt(ticket));
         cookie.Expires = ticket.Expires;
         if(FormsAuthentication.CookieDomain!=null)
             cookie.Domain = FormsAuthentication.CookieDomain;
         cookie.Path = FormsAuthentication.CookiePath;
         Response.Cookies.Add(cookie);
    
    }

    To Authorize User

    Global.asax class enables to hook into Authorize

    public void Application_Authorize(object sender, EventArgs e){
         var user = Context.User;
         if(user == null)   
             return;
    
         FormsIdentity formsIdentity = user.Identity as FormsIdentity;
         long userSessionID = long.Parse(formsIdentity.UserData);
    
         string cacheKey = "US-" + userSessionID;
    
         // caching to improve performance
         object result = HttpRuntime.Cache[cacheKey];
         if(result!=null){
             // if we had cached that user is alright, we return..
             return;
         }
    
         // hit the database and check if session is alright
         // If user has logged out, then all UserSessions should have been
         // deleted for this user
         UserSession session = db.UserSessions
               .FirstOrDefault(x=>x.UserSessionID == userSessionID);
         if(session != null){
    
              // update session and mark last date
              // this helps you in tracking and you
              // can also delete sessions which were not
              // updated since long time...
              session.DateUpdated = DateTime.UtcNow;
              db.SaveChanges();
    
              // ok user is good to login
              HttpRuntime.Cache.Add(cacheKey, "OK", 
                   // set expiration for 5 mins
                   DateTime.UtcNow.AddMinutes(5)..)
    
             // I am setting cache for 5 mins to avoid
             // hitting database for all session validation
             return;
         }
    
         // ok validation is wrong....
    
    
         throw new UnauthorizedException("Access denied");
    
    }

    When User Logs out

    public void Logout(){
    
        // get the ticket..
        FormsIdentity f = Context.User.Identity as FormsIdentity;
        long sessionID = long.Parse(f.UserData);
    
        var session = db.UserSessions.First(x=>x.UserSessionID = sessionID);
        db.UserSession.Remove(session);
        db.SaveChanges();
    
        FormsAuthentication.Signout();
    }

    ** When user changes password or user is blocked or user is deleted... **

    public void ChangePassword(){
    
        // get the ticket..
        FormsIdentity f = Context.User.Identity as FormsIdentity;
        long sessionID = long.Parse(f.UserData);
    
        var session = db.UserSessions.First(x=>x.UserSessionID = sessionID);
    
        // delete all sessions for the same user id
        // this will force user to relogin on all other
        // devices...
        db.Database.ExecuteSql(
            "DELETE FROM UerSessions WHERE UserID=@UserID",
            new SqlParameter("@UserID", session.UserID));
    }
  • 相关阅读:
    激活程序进程并显示最前
    ClickOnce 部署 API 以编程方式检查应用程序更新
    管理员权限运行
    扩展支持全选的CheckBox列。
    转 winfrom组件圆角
    转 无边框四周阴影
    转 实现类似QQ的窗体停靠
    关闭ShowDialog的模态窗口
    TextBox 显示横线
    转 无损转换Image为Icon
  • 原文地址:https://www.cnblogs.com/chucklu/p/13164460.html
Copyright © 2011-2022 走看看