Retrive随机生成的会话ID coockie名称asp.net

时间:2018-02-20 11:21:15

标签: c# asp.net asp.net-mvc asp.net-identity session-cookies

我想用一些随机生成的字符串更改asp.net ASP.NET_SessionId cookie名称,并将其哈希值。我已经完成了两个,但问题是我不知道如何获取`ASP.NET_SessionId并检查散列值是否有效。目的是防止会话劫持。

            app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login"),
            Provider = new CookieAuthenticationProvider
            {
                OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<Identity.ApplicationUserManager, DatabaseHelper.DatabaseModels.User>(
                    validateInterval: TimeSpan.FromMinutes(15),
                    regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
            },
            CookieName = Utility.Globals.GenrateRandomString(10),
        });     

这就是我改变`ASP.NET_SessionId'的方法。我还用以下代码检查散列值

protected void Application_BeginRequest(object sender, EventArgs e)
    {
        //Check If it is a new session or not , if not then do the further checks
        if (Request.Cookies["ASP.NET_SessionId"] != null && Request.Cookies["ASP.NET_SessionId"].Value != null)
        {
            string newSessionID = Request.Cookies["ASP.NET_SessionID"].Value;
            //Check the valid length of your Generated Session ID
            if (newSessionID.Length <= 24)
            {
                //Log the attack details here
                Response.Cookies["TriedTohack"].Value = "True";
                throw new HttpException("Invalid Request");
            }

            //Genrate Hash key for this User,Browser and machine and match with the Entered NewSessionID
            if (GenerateHashKey() != newSessionID.Substring(24))
            {
                //Log the attack details here
                Response.Cookies["TriedTohack"].Value = "True";
                throw new HttpException("Invalid Request");
            }

            //Use the default one so application will work as usual//ASP.NET_SessionId
            Request.Cookies["ASP.NET_SessionId"].Value = Request.Cookies["ASP.NET_SessionId"].Value.Substring(0, 24);
        }

    } 

0 个答案:

没有答案