Asp.net cookie operations (prevent cookie spoofing)

Source: Internet
Author: User
Tags datetime httpcontext

Protected void page_load (object sender, eventargs e)
        {
If (request. cookies ["username"] = null)
                {
Httpcookie mycookie = new httpcookie ("username ");
Mycookie. values. add ("prodid ","");
Mycookie. expires = datetime. now. adddays (1 );
Response. cookies. add (mycookie );
                }
        }

This is the cookie inserting code.

Public void addcookie (string cookievalue)
        {
           
Httpcookie cookie = new httpcookie ("username ");
If (request. cookies ["username"]. values ["prodid"]! = "")
            {
String myvalue = "";
Myvalue = request. cookies ["username"]. values ["prodid"]. tostring ();
Myvalue = cookievalue + "," + myvalue;
Cookie. values. add ("prodid", myvalue );
Cookie. expires = datetime. now. adddays (1 );
Response. cookies. add (cookie );
            }
Else
            {
Cookie. values. add ("prodid", cookievalue );
Cookie. expires = datetime. now. adddays (1 );
Response. cookies. add (cookie );
            }
        }

The last step is to delete the cookie.

Protected void button2_click (object sender, eventargs e)
        {
Httpcookie mycookie = new httpcookie ("username ");
Mycookie. expires = datetime. now. adddays (-1d );
Response. cookies. add (mycookie );
        }

Prevent cookie spoofing

According to browser conventions, only cookies from the same domain name can be read and written, while cookies are only for browsers and have no impact on communication protocols. Therefore, cookie spoofing can be performed in many ways, the easiest way is to build a website by yourself. In c: windowssystem32driversetchosts, set the website you have set up as the domain name you want to cheat. After the cookie is written, the hosts value will be changed back, in this way, the cookie of the local website can be thrown to the domain name you want to intrude.

 

Public void logined (modeluser model)
  {
Int outtime = getloginouttime ();
Httpcontext. current. response. cookies ["username"]. value = model. user_name;
Httpcontext. current. response. cookies ["username_check"]. value = dessecurity. desencrypt (model. user_name );
Httpcontext. current. response. cookies ["username"]. expires = datetime. now. addminutes (outtime );
Httpcontext. current. response. cookies ["username_check"]. expires = datetime. now. addminutes (outtime );
Setusermodel (model );
  }


We can see that two cookie values are saved, all of which are user names. One is encrypted and the other is unencrypted.

The code used to verify logon is as follows:

Public bool islogin ()
{
Bool islogin = false;
If (httpcontext. current. request. cookies ["username"]! = Null)
    {
If (httpcontext. current. request. cookies ["username_check"]! = Null)
        {
String username = httpcontext. current. request. cookies ["username"]. value;
String usernamecheck = httpcontext. current. request. cookies ["username_check"]. value;
If (username = dessecurity. desdecrypt (usernamecheck ))
Islogin = true;
        }
    }
Return islogin;
}

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.