我们的asp.net应用程序有Session劫持和Session固定问题 . 我们也实施了SSL .
1 ..我在web.config文件中添加了以下代码 .
protection="All"
timeout="20"
name=".ASPXAUTH"
path="/"
requireSSL="true"
slidingExpiration="true"
/>
--->
2 ...加密formathuntication票证并在用户被取消后添加到cookie .
FormsAuthenticationTicket tkt;
string cookiestr;
HttpCookie ck;
tkt = new FormsAuthenticationTicket(1,uname,DateTime.Now,DateTime.Now.AddMinutes(20),false,“您的自定义数据”);
cookiestr = FormsAuthentication.Encrypt(tkt);
ck = new HttpCookie(FormsAuthentication.FormsCookieName,cookiestr); ck.Path = FormsAuthentication.FormsCookiePath;
Response.Cookies.Add(CK);
3 ..我正在删除会话变量并在注销页面和错误页面上将空值传递给ASP.NET_SessionID .
SessionHandler.EndSession();
Session.RemoveAll();
Session.Abandon();
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
if (Request.Cookies["ASP.NET_SessionId"] != null)
{
Response.Cookies["ASP.NET_SessionId"].Value = string.Empty;
Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddMonths(-20);
}
if (Request.Cookies["AuthToken"] != null)
{
Response.Cookies["AuthToken"].Value = string.Empty;
Response.Cookies["AuthToken"].Expires = DateTime.Now.AddMonths(-20);
}
HttpCookie authcookie = Request.Cookies[FormsAuthentication.FormsCookieName];
authcookie.Expires = DateTime.Now.AddDays(-1D);
Response.Cookies.Add(authcookie);
FormsAuthentication.SignOut();
仍然问题没有解决......