S****e
发帖数: 10596 | 1 w3schools这样写着:
ASP solves this problem by creating a unique cookie for each user. The cooki
e is sent to the user's computer and it contains information that identifies
the user. This interface is called the Session object.
可不可能别人creat一个admin 的cookie,然后hack网站?
asp.net网站识别用户及其权限是不是全靠session? |
a9
发帖数: 21638 | 2 可以,但很难。
这个cookie是随机的,而且有效期不长。
cooki
identifies
【在 S****e 的大作中提到】
: w3schools这样写着:
: ASP solves this problem by creating a unique cookie for each user. The cooki
: e is sent to the user's computer and it contains information that identifies
: the user. This interface is called the Session object.
: 可不可能别人creat一个admin 的cookie,然后hack网站?
: asp.net网站识别用户及其权限是不是全靠session?
|
s***o
发帖数: 2191 | 3 A Session cookie contains SessionID. This unique ID is used to identify the
requests from the same browser instance to allow data sharing among these
requests. It's not really used to "identifies the user".
Authentication uses another type of cookie that contains a "ticket". An
authentication cookie is encrypted and is nearly impossible to hack.
cooki
identifies
【在 S****e 的大作中提到】
: w3schools这样写着:
: ASP solves this problem by creating a unique cookie for each user. The cooki
: e is sent to the user's computer and it contains information that identifies
: the user. This interface is called the Session object.
: 可不可能别人creat一个admin 的cookie,然后hack网站?
: asp.net网站识别用户及其权限是不是全靠session?
|
S****e
发帖数: 10596 | 4 谢楼上2位
搜了一下
这么说:
As far as I understand it a temporary session cookie is created for the clie
nt that holds just the sessionID used to uniquely identify the client. All t
he actual data in the session is held on the server, in memory, and is there
fore secure.
All session data by default is stored in memory on the server. Only a sessio
n ID is placed in a cookie on the clients machine. You can change the settin
gs to have your data stored in SQL Server or in a Session State server if yo
u like but none of these cases passes session information to the client.
结论就是用一个session辨识用户权限安全
cooki
identifies
【在 S****e 的大作中提到】
: w3schools这样写着:
: ASP solves this problem by creating a unique cookie for each user. The cooki
: e is sent to the user's computer and it contains information that identifies
: the user. This interface is called the Session object.
: 可不可能别人creat一个admin 的cookie,然后hack网站?
: asp.net网站识别用户及其权限是不是全靠session?
|
a9
发帖数: 21638 | 5 恩。不过除非非常有必要,不要存到sql server里,太慢了。
clie
t
there
sessio
settin
yo
【在 S****e 的大作中提到】
: 谢楼上2位
: 搜了一下
: 这么说:
: As far as I understand it a temporary session cookie is created for the clie
: nt that holds just the sessionID used to uniquely identify the client. All t
: he actual data in the session is held on the server, in memory, and is there
: fore secure.
: All session data by default is stored in memory on the server. Only a sessio
: n ID is placed in a cookie on the clients machine. You can change the settin
: gs to have your data stored in SQL Server or in a Session State server if yo
|
k****i
发帖数: 1072 | 6 结论错误。谁说用户权限要放在session里的?当然你可以把用户权限放在任何地方,
这是你的自由。
clie
t
there
sessio
settin
yo
【在 S****e 的大作中提到】
: 谢楼上2位
: 搜了一下
: 这么说:
: As far as I understand it a temporary session cookie is created for the clie
: nt that holds just the sessionID used to uniquely identify the client. All t
: he actual data in the session is held on the server, in memory, and is there
: fore secure.
: All session data by default is stored in memory on the server. Only a sessio
: n ID is placed in a cookie on the clients machine. You can change the settin
: gs to have your data stored in SQL Server or in a Session State server if yo
|
S****e
发帖数: 10596 | 7 请问通常把权限放在哪里?
我做的是一个用户登陆,登陆成功之后,把权限代码存入session
如果是session 是admin权限,可以访问后台网页
请问这样怎么实现更好?
【在 k****i 的大作中提到】
: 结论错误。谁说用户权限要放在session里的?当然你可以把用户权限放在任何地方,
: 这是你的自由。
:
: clie
: t
: there
: sessio
: settin
: yo
|
c**t
发帖数: 2744 | 8 if it's over https, you can't change
cooki
identifies
【在 S****e 的大作中提到】
: w3schools这样写着:
: ASP solves this problem by creating a unique cookie for each user. The cooki
: e is sent to the user's computer and it contains information that identifies
: the user. This interface is called the Session object.
: 可不可能别人creat一个admin 的cookie,然后hack网站?
: asp.net网站识别用户及其权限是不是全靠session?
|
k****i
发帖数: 1072 | 9 先看一下sql role provider.再看一下azman/sqlazman.
【在 S****e 的大作中提到】
: 请问通常把权限放在哪里?
: 我做的是一个用户登陆,登陆成功之后,把权限代码存入session
: 如果是session 是admin权限,可以访问后台网页
: 请问这样怎么实现更好?
|
S****e
发帖数: 10596 | 10 赞!
【在 k****i 的大作中提到】
: 先看一下sql role provider.再看一下azman/sqlazman.
|
N********n
发帖数: 8363 | 11
You don't "把权限代码存入session". You pass authentication first
then run through the role service to decide what permission you
have. Individual roles are configured by the admin.
There are videos on http://asp.net explaining how a typical role
membership is sued alongside the asp.net authentication.
【在 S****e 的大作中提到】
: 请问通常把权限放在哪里?
: 我做的是一个用户登陆,登陆成功之后,把权限代码存入session
: 如果是session 是admin权限,可以访问后台网页
: 请问这样怎么实现更好?
|
k**n
发帖数: 3989 | 12 一般的网站这样做足够了。
如果要有记住登陆的功能的话,,还要写着browser端的cookie里。
.net的membership api也可用。。但不如自己写的自由。
【在 S****e 的大作中提到】
: 请问通常把权限放在哪里?
: 我做的是一个用户登陆,登陆成功之后,把权限代码存入session
: 如果是session 是admin权限,可以访问后台网页
: 请问这样怎么实现更好?
|
y********o
发帖数: 2565 | 13 Or role provider based on Active Directory if they happen to use it.
Essentially the same, just different sources.
【在 k****i 的大作中提到】
: 先看一下sql role provider.再看一下azman/sqlazman.
|
