ASP.NETµÄformsÉí·ÝÑéÖ¤
Asp.netµÄÉí·ÝÑéÖ¤ÓÐÓÐÈýÖÖ£¬·Ö±ðÊÇ"Windows | Forms | Passport"£¬ÆäÖÐÓÖÒÔFormsÑéÖ¤ÓõÄ×î¶à£¬Ò²×îÁé»î¡£
Forms ÑéÖ¤·½Ê½¶Ô»ùÓÚÓû§µÄÑéÖ¤ÊÚȨÌṩÁ˺ܺõÄÖ§³Ö£¬¿ÉÒÔͨ¹ýÒ»¸öµÇ¼ҳÃæÑéÖ¤Óû§µÄÉí·Ý£¬½«´ËÓû§µÄÉí·Ý·¢»Øµ½¿Í»§¶ËµÄCookie£¬Ö®ºó´ËÓû§ÔÙ·ÃÎÊÕâ¸öwebÓ¦ÓþͻáÁ¬Í¬Õâ¸öÉí·ÝCookieÒ»Æð·¢Ë͵½·þÎñ¶Ë¡£·þÎñ¶ËÉϵÄÊÚȨÉèÖþͿÉÒÔ¸ù¾Ý²»Í¬Ä¿Â¼¶Ô²»Í¬Óû§µÄ·ÃÎÊÊÚȨ½øÐпØÖÆÁË¡£
ÎÊÌâÀ´ÁË£¬ÔÚʵ¼ÊÊÇÓÃÖÐÎÒÃÇÍùÍùÐèÒªµÄÊÇ»ùÓÚ½ÇÉ«£¬»òÕß˵»ùÓÚÓû§×éµÄÑéÖ¤ºÍÊÚȨ¡£¶ÔÒ»¸öÍøÕ¾À´Ëµ£¬Ò»°ãµÄÑéÖ¤ÊÚȨµÄģʽӦ¸ÃÊÇÕâÑùµÄ£º¸ù¾Ýʵ¼ÊÐèÇó°ÑÓû§·Ö³É²»Í¬µÄÉí·Ý£¬¾ÍÊǽÇÉ«£¬»òÕß˵ÊÇÓû§×飬ÑéÖ¤¹ý³Ì²»µ«ÒªÑéÖ¤Õâ¸öÓû§±¾ÉíµÄÉí·Ý£¬»¹ÒªÑéÖ¤ËüÊÇÊôÓÚÄĸö½ÇÉ«µÄ¡£¶ø·ÃÎÊÊÚȨÊǸù¾Ý½ÇÉ«À´ÉèÖõģ¬Ä³Ð©½ÇÉ«¿ÉÒÔ·ÃÎÊÄÄЩ×ÊÔ´£¬²»¿ÉÒÔ·ÃÎÊÄÄЩ×ÊÔ´µÈµÈ¡£ÒªÊÇ»ùÓÚÓû§À´ÊÚȨ·ÃÎʽ«»áÊǸöºÜ²»Êµ¼ÊµÄ×ö·¨£¬Óû§Óкܶ࣬»¹¿ÉÄÜËæʱµÄÔö¼õ£¬²»¿ÉÄÜÔÚÅäÖÃÎļþÖÐËæʱµÄΪ²»¶ÏÔö¼ÓµÄÐÂÓû§È¥Ôö¼Ó·ÃÎÊÊÚȨµÄ¡£
ÏÂÃæ´ó¸ÅµÄ¿´Ò»ÏÂFormsµÄ¹ý³Ì¡£
FormsÉí·ÝÑéÖ¤»ù±¾ÔÀí£º
Ò» Éí·ÝÑéÖ¤
Òª²ÉÓÃFormsÉí·ÝÑéÖ¤£¬ÏÈÒªÔÚÓ¦ÓóÌÐò¸ùĿ¼ÖеÄWeb.configÖÐ×öÏàÓ¦µÄÉèÖÃ:
<authentication mode="forms">
<forms name=".ASPXAUTH" loginUrl="/login.aspx" timeout="30" path= "/">
</forms>
</authentication>
ÆäÖÐ<authentication mode= "forms"> ±íʾ±¾Ó¦ÓóÌÐò²ÉÓÃFormsÑéÖ¤·½Ê½¡£
1. <forms>±êÇ©ÖеÄname±íʾָ¶¨ÒªÓÃÓÚÉí·ÝÑéÖ¤µÄ HTTP Cookie¡£Ä¬ÈÏÇé¿öÏ£¬name µÄÖµÊÇ .ASPXAUTH¡£²ÉÓôËÖÖ·½Ê½ÑéÖ¤Óû§ºó,ÒÔ´ËÓû§µÄÐÅÏ¢½¨Á¢Ò»¸öFormsAuthenticationTicketÀàÐ͵ÄÉí·ÝÑé֤Ʊ,ÔÙ¼ÓÃÜÐòÁл¯ÎªÒ»¸ö×Ö·û´®,×îºó½«Õâ¸ö×Ö·û´®Ð´µ½¿Í»§¶ËµÄnameÖ¸¶¨Ãû×ÖµÄCookieÖÐ.Ò»µ©Õâ¸öCookieдµ½¿Í»§¶Ëºó,´ËÓû§ÔٴηÃÎÊÕâ¸öwebÓ¦ÓÃʱ»á½«Á¬Í¬CookieÒ»Æð·¢Ë͵½·þÎñ¶Ë,·þÎñ¶Ë½«»áÖªµÀ´ËÓû§ÊÇÒѾÑéÖ¤¹ýµÄ.
ÔÙ¿´Ò»ÏÂÉí·ÝÑé֤Ʊ¶¼°üº¬ÄÄЩÐÅÏ¢ÄØ,ÎÒÃÇ¿´Ò»ÏÂFormsAuthenticationTicketÀà:
CookiePath£º ·µ»Ø·¢³ö Cookie µÄ·¾¶¡£×¢Ò⣬´°ÌåµÄ·¾¶ÉèÖÃΪ /¡£ÓÉÓÚ´°ÌåÇø·Ö´óСд£¬ÕâÊÇΪÁË·ÀÖ¹Õ¾µãÖÐµÄ URL µÄ´óСд²»Ò»Ö¶ø²ÉÈ¡µÄÒ»ÖÖ±£»¤´ëÊ©¡£ÕâÔÚˢРCookie ʱʹÓÃ
Expiration£º »ñÈ¡ Cookie ¹ýÆÚµÄÈÕÆÚ/ʱ¼ä¡
Ïà¹ØÎĵµ£º
ÔÚWebÓ¦ÓóÌÐòÉÏÏÂÎÄÖУ¬ASP.NETÒ³Ãæ»áÔÚµÚÒ»´Î±»ÇëÇóʱ£¬°´Ðè±»¶¯Ì¬±àÒë¡£¶¯Ì¬±àÒë²¢²»ÊÇASP.NETÒ³Ãæ(.aspxÎļþ)ÌØÓеģ¬
»¹·¢ÉúÔÚ.NET
Web·þÎñ(.asmxÎļþ)¡¢WebÓû§¿Ø¼þ(.ascxÎļþ)¡¢HTTP´¦Àí³ÌÐò(.ashxÎļþ)£¬ÒÔ¼°ÆäËû¼¸ÖÖASP.NETÓ¦ÓóÌÐòÎļþ(Èç
global.asaxÎļþ)ÉíÉÏ¡£ÔËÐÐʱ¹ÜµÀÄ£Ð͸ºÔð´¦ÀíÊäÈëµÄ(incoming)HTTPÊ ......
µÚÒ»Õ ASP.NET Ajax¼ò½é
1.1ʲôÊÇAjax
Ò»£®Ê²Ã´ÊÇAjax
AjaxÊÇAsynchronous JavaScript and XML(Òì²½JavaScript ºÍXML)µÄËõд£¬ÓÉÖøÃûÓû§ÌåÑéר¼ÒJesse-James GarrettÔÚ2005Äê2ÔÂ18ÈÕ·¢±íµÄһƪÃûΪAjax:a New Approach to Web ApplicationsÎÄÕÂÖÐÊ×ÏÈÌá³ö¡£
Ajax²¢²»ÊÇÖ»°üº¬JavaScri ......
±¾ÎÄÎÒÃǽ«ÌÖÂÛµÄÊÇASP.NETÒ³Ãæ¼äÊý¾Ý´«µÝµÄ¼¸ÖÖ·½·¨£¬¶Ô´ËÏ£ÍûÄÜ°ïÖú´ó¼ÒÕýÈ·µÄÀí½âASP.NETÒ³Ãæ¼äÊý¾Ý´«µÝµÄÓô¦ÒÔ¼°±ãÀûÐÔ¡£
0¡¢ÒýÑÔ
WebÒ³ÃæÊÇÎÞ״̬µÄ£¬ ·þÎñÆ÷¶Ôÿһ´ÎÇëÇó¶¼ÈÏΪÀ´×Ô²»Í¬Óû§£¬Òò´Ë£¬±äÁ¿µÄ״̬ÔÚÁ¬Ðø¶ÔͬһҳÃæµÄ¶à´ÎÇëÇóÖ®¼ä»òÔÚÒ³ÃæÌøתʱ²»»á±»±£Áô¡£ÔÚÓÃASP.NET Éè¼Æ¿ª·¢Ò»¸öWebϵͳʱ£¬ Óöµ ......
Trustwave's SpiderLabs Security Advisory TWSL2010-001:
Multiplatform View State Tampering Vulnerabilities
Published: 2010-02-08 Version: 1.1
SpiderLabs has documented view state tampering
vulnerabilities in three products from separate vendors.
View states are used by some web application frame ......