为了避免会话劫持,我在以下工作的公司实施了以下解决方案:
private static string secretKey = null;
/// <summary>
/// method to initialize our class when the page is initialized
/// </summary>
/// <param name="application"></param>
public void Init(HttpApplication application)
{
//find out of we have a validation key, if we dont initialize it
if (secretKey == null) secretKey = GetKey();
//register event handlers for the BeginRequest and EndRequest events
application.BeginRequest += new EventHandler(onbeginRequest);
application.EndRequest += new EventHandler(onendRequest);
}
public void Dispose()
{
}
/// <summary>
/// method for handling the HttpApplication.BeginRequest event
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
public void onbeginRequest(Object sender, EventArgs e)
{
//get the current Request
HttpRequest currentRequest = ((HttpApplication)sender).Request;
//get the ASP.NET_SessionId cookie from the Request object
HttpCookie requestCookie = RetrieveRequestCookie(currentRequest, "ASP.NET_SessionId");
//check to see if the cookie exists (if == null)
if (requestCookie != null)
{
//if the length is less than 24 we dont have a MAC so we need to throw an exception (our custom exception)
if (requestCookie.Value.Length <= 24) throw new SessionerrorException("Invalid Session, Code 1");
//get the session id
string sessionID = requestCookie.Value.Substring(0, 24);
//get the MAC
string mac = requestCookie.Value.Substring(24);
//create a new MAC based on the session id and some of the users info (user agent, etc)
string macCompare = CreateMAC(sessionID, currentRequest.UserHostAddress, currentRequest.UserAgent, secretKey);
//check to see if the MAC's match, if not we have a problem
if (String.CompareOrdinal(mac, macCompare) != 0) throw new SessionerrorException("Invalid Session, Code 2");
//set the cookies value to the session id
requestCookie.Value = sessionID;
}
}
/// <summary>
/// method for handling the HttpApplication.EndRequest event
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
public void onendRequest(Object sender, EventArgs e)
{
//capture the current request
HttpRequest currentRequest = ((HttpApplication)sender).Request;
//get the session cookie
HttpCookie sessionCookie = RetrieveResponseCookie(((HttpApplication)sender).Response, "ASP.NET_SessionId");
//make sure the cookie isnt null
if (sessionCookie != null)
{
//add our newly generated MAC to the cookie at the end of the request
sessionCookie.Value += CreateMAC(sessionCookie.Value, currentRequest.UserHostAddress, currentRequest.UserAgent, secretKey);
}
}
/// <summary>
/// method for retrieving the Request cookies
/// </summary>
/// <param name="currentRequest"></param>
/// <param name="cookieName"></param>
/// <returns></returns>
private HttpCookie RetrieveRequestCookie(HttpRequest currentRequest, string cookieName)
{
HttpCookieCollection cookieCollection = currentRequest.Cookies;
return FindTheCookie(cookieCollection, cookieName);
}
/// <summary>
/// method for retrieving the Response cookies
/// </summary>
/// <param name="currentResponse"></param>
/// <param name="cookieName"></param>
/// <returns></returns>
private HttpCookie RetrieveResponseCookie(HttpResponse currentResponse, string cookieName)
{
HttpCookieCollection cookies = currentResponse.Cookies;
return FindTheCookie(cookies, cookieName);
}
/// <summary>
/// method for generating a new MAC for our session cookie
/// </summary>
/// <param name="id">current session id</param>
/// <param name="ipAddress">ip address of the current Request</param>
/// <param name="userAgent">current user's User Agent</param>
/// <param name="validationKey">validation key from the web.config</param>
/// <returns></returns>
private string CreateMAC(string id, string ipAddress, string userAgent, string validationKey)
{
//create an instance of the StringBuilder with a max length of 512
StringBuilder sb = new StringBuilder(id, 512);
//append the first segment of the user's ip address to the string
sb.Append(ipAddress.Substring(0, ipAddress.IndexOf('.', ipAddress.IndexOf('.') + 1)));
//append the users User Agent to the string
sb.Append(userAgent);
using (HMACSHA1 hmac = new HMACSHA1(Encoding.UTF8.GetBytes(validationKey)))
{
return Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(sb.ToString())));
}
}
问题在于,Google Chrome总是会出现异常&#34;无效会话,代码1&#34;,但在Internet Explorer和Firefox中完美运行。
知道可能会发生什么,我该如何解决?