Session ID not random enough - ASP.NET

前端 未结 1 714
迷失自我
迷失自我 2021-02-05 22:47

UPDATE

We eventually had a meeting with some programmers on the Acunetix team and they realized there may be a few bugs in their code that are causing t

相关标签:
1条回答
  • 2021-02-05 23:10

    As I remember, ASP.NET session id generator gives good protection against session prediction. The session id has 24 characters using [a-z] chars and [0-5] digits (total of 32 possible chars which is 2^5) which gives a total of 2^(5*24) = 2^120 possible values. However you can implement a SessionIDManager to append some information (like user hostaddress, user-agent, a validation token using a HMAC algorithm) for even better protection - so that a session id comming from a different IP Address or different browser wouldn't pass the validation. If you have forms authentication implemented, this is not necessary since the authentication ticket already provides these kinds of protection.

    If you want a better random session id you can use a RandomNumberGenerator such as RNGCryptoServiceProvider in your SessionIDManager and fill a bunch of bytes (say 32 which is 256 bits), then encode them using Base64

    byte[] random = new byte[100];
    //RNGCryptoServiceProvider is an implementation of a random number generator.
    RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
    rng.GetBytes(random); // The array is now filled with cryptographically strong random bytes.
    return Convert.ToBase64String(random) 
    

    However, this article says that the max length of your session id is 80, so you must override the Validate method also in order for it to work.

    0 讨论(0)
提交回复
热议问题