|
|
|
Protecting Cookies Once and For All |
Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Présentation : Every once in a while you run into a situation where you need to temporarily store data for a user in a web app. You typically have two options here either store server-side or put the data into a cookie if size permits . When you need web farm compatibility in addition things become a little bit more complicated because the data needs to be available on all nodes. In my case I went for a cookie but I had some requirements Cookie must be protected from eavesdropping sent only over SSL and client script Cookie must be encrypted and signed to be protected from tampering with Cookie might become bigger than 4KB some sort of overflow mechanism would be nice I really didn t want to implement another cookie protection mechanism this feels wrong and btw can go wrong as well. WIF to the rescue. The session management feature already implements the above requirements but is built around de serializing IClaimsPrincipals into cookies and back. But if you go one level deeper you will find the CookieHandler and CookieTransform classes which contain all the needed functionality. public class ProtectedCookie private List _transforms private ChunkedCookieHandler _handler new ChunkedCookieHandler DPAPI protection single server public ProtectedCookie _transforms new List new DeflateCookieTransform , new ProtectedDataCookieTransform RSA protection load balanced public ProtectedCookie X509Certificate2 protectionCertificate _transforms new List new DeflateCookieTransform , new RsaSignatureCookieTransform protectionCertificate , new RsaEncryptionCookieTransform protectionCertificate custom transform pipeline public ProtectedCookie List transforms _transforms transforms public void Write string name, string value, DateTime expirationTime byte encodedBytes EncodeCookieValue value _handler.Write encodedBytes, name, expirationTime public void Write string name, string value, DateTime expirationTime, string domain, string path byte encodedBytes EncodeCookieValue value _handler.Write encodedBytes, name, path, domain, expirationTime, true , true , HttpContext .Current public string Read string name var bytes _handler.Read name if bytes null bytes.Length 0 return null return DecodeCookieValue bytes public void Delete string name _handler.Delete name protected virtual byte EncodeCookieValue string value var bytes Encoding .UTF8.GetBytes value byte buffer bytes foreach var transform in _transforms buffer transform.Encode buffer return buffer protected virtual string DecodeCookieValue byte bytes var buffer bytes for int i _transforms.Count i 0 i buffer _transforms i - 1 .Decode buffer return Encoding .UTF8.GetString buffer HTH
Les mots clés de la revue de presse pour cet article : cookies
Les derniers articles du site "www.leastprivilege.com" :
- Moving to a new Blog
- API for the X509 Certificate Store
- Thinktecture.IdentityModel.Http and the ASP.NET Web API CodePlex bits
- Identity in .NET 4.5Part 4 Claims over Kerberos
- Thinktecture IdentityServer and Contrib Project now on GitHub
- Identity in .NET 4.5Part 3 Breaking changes
- Identity in .NET 4.5Part 2 Claims Transformation in ASP.NET Beta 1
- Identity in .NET 4.5Part 1 Status Quo Beta 1
- ASP.NET WebAPI Security 5 JavaScript Clients
- ASP.NET WebAPI Security 4 Examples for various Authentication Scenarios
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.190.17.190 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.190.17.190 to any 80"
- Nous contacter par mail
| Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
| Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
| Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
| Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|
