尝试防止会话篡改对本地环境有效，但对prod服务器无效

Question

所以我想阻止我的网站中的会话篡改，我在global.asax中实现了这一点。我正在做的是使用GenerateHashKey函数生成哈希键。它主要使用浏览器版本，用户主机地址等来创建哈希键。此哈希键即附加到ASP.NET_SessionId cookie。现在这在当地环境中完美运行。但是一旦我将它托管到prod服务器，＆＃34;无效＆＃34;异常是第一次抛出然后它工作正常。为什么会发生这种情况

我用过这篇文章 http://www.codeproject.com/Articles/859579/Hack-proof-your-asp-net-applications-from-Session

protected void Application_BeginRequest(object sender, EventArgs e)
{
        try
        {
            if (Request.Cookies["ASP.NET_SessionId"] != null && Request.Cookies["ASP.NET_SessionId"].Value != null)
            {
                string newSessionID = Request.Cookies["ASP.NET_SessionId"].Value;
                //Check the valid length of your Generated Session ID
                if (newSessionID.Length <= 24)
                {
                    //Log the attack details here

                    Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddDays(-30);
                    Response.Cookies["ASP.NET_SessionId"].Value = null;
                    throw new HttpException("Empty");

                }

                //Genrate Hash key for this User,Browser and machine and match with the Entered NewSessionID
                if (GenerateHashKey() != newSessionID.Substring(24))
                {
                    //Log the attack details here
                    Response.Cookies["TriedTohack"].Value = "True";
                    Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddDays(-30);
                    Response.Cookies["ASP.NET_SessionId"].Value = null;
                    throw new HttpException("Invalid:"+newSessionID);



                }

                //Use the default one so application will work as usual//ASP.NET_SessionId
                Request.Cookies["ASP.NET_SessionId"].Value = Request.Cookies["ASP.NET_SessionId"].Value.Substring(0, 24);
            }
        }
        catch(Exception Ex)
        {

            if (Ex.Message == "Invalid")
            {                  
                 Response.Redirect(string.Format("~/PraiseError.aspx?Message={0}", Uri.EscapeDataString(Ex.Message)));
            }
            else
            {
                Response.Redirect("~/Home.aspx");
            }
        }
    }
  protected void Application_EndRequest(object sender, EventArgs e)
    {
        string gn = GenerateHashKey();
        try
        {
            //Pass the custom Session ID to the browser.
            if (Response.Cookies["ASP.NET_SessionId"] != null)
            {



                Response.Cookies["ASP.NET_SessionId"].Value = Request.Cookies["ASP.NET_SessionId"].Value.Replace(gn, "") + gn;

            }
            else
            {
                Response.Cookies["ASP.NET_SessionId"].Value = Request.Cookies["ASP.NET_SessionId"].Value + gn;
            }
        }
        catch
        {
            Response.Cookies["ASP.NET_SessionId"].Value = Request.Cookies["ASP.NET_SessionId"].Value + gn;
        }
    }

private string GenerateHashKey()
{
        StringBuilder myStr = new StringBuilder();
        myStr.Append(Request.Browser.Browser);
        myStr.Append(Request.Browser.Platform);
        myStr.Append(Request.Browser.MajorVersion);
        myStr.Append(Request.Browser.MinorVersion);
        myStr.Append(Request.UserHostAddress);
       //myStr.Append(Request.LogonUserIdentity.User.Value);
        SHA1 sha = new SHA1CryptoServiceProvider();
        byte[] hashdata = sha.ComputeHash(Encoding.UTF8.GetBytes(myStr.ToString()));
        return Convert.ToBase64String(hashdata);

 }