In ASP. NET, URL parameters and session methods are used to ensure security.

1.
URL parameters are not completely unavailable

Because URL parameters are in plain text form on the client, they are not secure. Do not use URLs to transmit sensitive information. However, because URL parameters are an important way to exchange information between web images, you can use URLs to transmit meaningless texts.

Requirements for using URL parameters:

A. URL parameters must be processed through urldecode and urlencode.

B. URL parameters cannot be used for sensitive or confidential information. (If the information is encrypted and transmitted, it is better to use session directly, and the code is easier to write sessions .)

C. The URL parameter can be used only after it has been verified by data validity.

 

2.
Server session usage

Because the session is a server, it solves the security problem, so the session can save information with a high security level. However, the session cannot be abused.

Session usage requirements:

A. in the project, you should manage the value assignment and cleanup of sessions in a unified manner through the session-specific class (temporarily named sessionmanager). You are not allowed to directly call the session class on your own, the sessionmanager class must be used for calling.

B. The sessionmanager class does not directly provide the use of sessions with custom names. (For example, if you want to use session ["name"], you can add it in sessionmanager to provide it for use directly, such as the static attribute method of sessionmanager. Name). The method for clearing sessions is similar.

C. the use of sessions should be minimized. sessionmanager provides three to five sessions (the number of sessions can be adjusted according to the project size). sessions with similar functions can be merged and saved as one session, the saved content can be combined in a certain way, and can be parsed when used.

D. The information stored in some sessions will be useless after use. It should be cleared as soon as possible. If the information cannot be cleared immediately, we should also find a suitable place for clearing from global considerations. The preceding steps are manual. In addition, the session validity period setting of IIS itself should not be too large. Generally, it is better to set the session validity period for 20 minutes. The Management System in the LAN can be relaxed as appropriate.

E. Session exception. The session is unstable, but not necessarily unstable. Due to its flexible usage, the management of a session is relatively confusing. In most cases, session exceptions are the code issue of the program, reasonable management can ensure ease of use and security. The purpose of unified management of sessionmanager class is as follows.

If a session is declared invalid, an exception is thrown for this class. Ask the attacker to log on again.

 

3.
Client multi-window problem when using session

Problem:

For example, the company staff list is displayed on a screen. You can click a staff link to open a new screen to display the staff information. Click the link of multiple employees to open multiple windows, opening a new window on the Web is implemented through scripts. If you use the URL parameter to pass this employee ID, it is obviously insecure. However, if you use session to save the employee ID and then obtain the session in the window that opens, it will obviously cause confusion when there are multiple windows.

Solution:

To solve the problem that the parameter values of different pages are different when multiple subpages are opened, the session name must use a dynamic name. When you click Generate child page on the parent page, the corresponding session name is generated based on the time count value (tick) on the Child page. For example, the session for which the name is to be generated is session ["name" + Tick].

In this way, when you open a child page from the parent page, you only need to use the URL to pass this tick value. If you need to get the session value of name on the Child page, the session can be determined directly by "name" + tick.

Implementation:

To ensure that each sub-image obtains its corresponding session value, each sub-image must contain a tick URL parameter when it is opened, you only need to obtain the tick value for the session in each sub-screen to determine the corresponding session value for the screen.