加密cookie防止给篡改的类

时间:2006/8/19 20:30:54      阅读:6757     附件: 加密cookie防止给篡改HttpCookieEncryption.zip (经验值:10)     下载:16
        很多网站在网站的验证都使用了Cookie,但Cookie很容易受到黑客的利用,Cookie 还被用于检索特定用户的会话状态。会话的 ID 被存储到 cookie 中,该 cookie 与请求一起来回传送,存储在浏览器的计算机上。同样,如果失窃,会话 cookie 将可被用来使黑客进入系统并访问别人的会话状态。不用说,只要指定的会话处于活动状态(通常不超 20 分钟),这就有可能发生。通过冒充的会话状态发起的攻击称为会话劫持。
  这种攻击有多危险?很难讲。这要取决于 Web 站点的功能,更为重要的是,该站点的页是如何设计的。例如,假定您能够获得别人的会话 cookie,并将它附加到对站点上某个页的请求中。您加载该页并逐步研究它的普通用户界面。除了该页使用另一个用户的会话状态工作外,您无法将任何代码注入该页,也无法修改该页中的任何内容。这本身并不太坏,但是如果该会话中的信息是敏感和关键性的,就有可能直接导致黑客成功实现利用。黑客无法渗透到会话存储的内容中,但他可以使用其中存储的信息,就像自己是合法进入的一样。
  应用程序的页的设计,是防止会话劫持攻击的关键所在。当然,还有两点没有理清。第一点是,如何防止 cookie 盗窃?第二点是,ASP.NET 可以如何检测和阻止劫持?
  ASP.NET 会话 cookie 极其简单,仅限于包含会话 ID 字符串本身。ASP.NET 运行库从 cookie 中提取会话 ID,并将其与活动的会话进行比较。如果 ID 有效,ASP.NET 将连接到对应的会话并继续。这种行为极大地方便了已经偷到或者可以猜出有效的会话 ID 的黑客。
      最近长到了一些Cookie的加密方法,也帖出共享吧。看代码:
Imports System.Diagnostics
Imports System.Security.Cryptography
Imports System.Text
Imports System.IO

Public Class CryptoUtil

'随机选8个字节既为密钥也为初始向量
Private Shared KEY_64() As Byte = {42, 16, 93, 156, 78, 4, 218, 32}
Private Shared IV_64() As Byte = {55, 103, 246, 79, 36, 99, 167, 3}

'对TripleDES,采取24字节或192位的密钥和初始向量
Private Shared KEY_192() As Byte = {42, 16, 93, 156, 78, 4, 218, 32, 15, 167, 44, 80, 26, 250, 155, 112, 2, 94, 11, 204, 119, 35, 184, 194}
Private Shared IV_192() As Byte = {55, 103, 246, 79, 36, 99, 167, 3, 42, 5, 62, 83, 184, 7, 209, 13, 145, 23, 200, 58, 173, 10, 121, 181}

'标准的DES加密
Public Shared Function Encrypt(ByVal value As String) As String
Dim cryptoProvider As DESCryptoServiceProvider = _
New DESCryptoServiceProvider()
Dim ms As MemoryStream = New MemoryStream()
Dim cs As CryptoStream = _
New CryptoStream(ms, cryptoProvider.CreateEncryptor(KEY_64, IV_64), _
CryptoStreamMode.Write)
Dim sw As StreamWriter = New StreamWriter(cs)

sw.Write(value)
sw.Flush()
cs.FlushFinalBlock()
ms.Flush()

'再转换为一个字符串
Return Convert.ToBase64String(ms.GetBuffer(), 0, ms.Length)
End Function


'标准的DES解密
Public Shared Function Decrypt(ByVal value As String) As String
Dim cryptoProvider As DESCryptoServiceProvider = _
New DESCryptoServiceProvider()

'从字符串转换为字节组
Dim buffer As Byte() = Convert.FromBase64String(value)
Dim ms As MemoryStream = New MemoryStream(buffer)
Dim cs As CryptoStream = _
New CryptoStream(ms, cryptoProvider.CreateDecryptor(KEY_64, IV_64), _
CryptoStreamMode.Read)
Dim sr As StreamReader = New StreamReader(cs)

Return sr.ReadToEnd()
End Function


'TRIPLE DES加密
Public Shared Function EncryptTripleDES(ByVal value As String) As String
Dim cryptoProvider As TripleDESCryptoServiceProvider = _
New TripleDESCryptoServiceProvider()
Dim ms As MemoryStream = New MemoryStream()
Dim cs As CryptoStream = _
New CryptoStream(ms, cryptoProvider.CreateEncryptor(KEY_192, IV_192), _
CryptoStreamMode.Write)
Dim sw As StreamWriter = New StreamWriter(cs)

sw.Write(value)
sw.Flush()
cs.FlushFinalBlock()
ms.Flush()

'再转换为一个字符串
Return Convert.ToBase64String(ms.GetBuffer(), 0, ms.Length)
End Function


'TRIPLE DES解密
Public Shared Function DecryptTripleDES(ByVal value As String) As String
Dim cryptoProvider As TripleDESCryptoServiceProvider = _
New TripleDESCryptoServiceProvider()

'从字符串转换为字节组
Dim buffer As Byte() = Convert.FromBase64String(value)
Dim ms As MemoryStream = New MemoryStream(buffer)
Dim cs As CryptoStream = _
New CryptoStream(ms, cryptoProvider.CreateDecryptor(KEY_192, IV_192), _
CryptoStreamMode.Read)
Dim sr As StreamReader = New StreamReader(cs)

Return sr.ReadToEnd()
End Function


End Class


Public Class CookieUtil

'设置COOKIE *****************************************************

'SetTripleDESEncryptedCookie (只针对密钥和Cookie数据)
Public Shared Sub SetTripleDESEncryptedCookie(ByVal key As String, _
ByVal value As String)
key
= CryptoUtil.EncryptTripleDES(key)
value
= CryptoUtil.EncryptTripleDES(value)

SetCookie(key, value)
End Sub


'SetTripleDESEncryptedCookie (增加了Cookie数据的有效期参数)
Public Shared Sub SetTripleDESEncryptedCookie(ByVal key As String, _
ByVal value As String, ByVal expires As Date)
key
= CryptoUtil.EncryptTripleDES(key)
value
= CryptoUtil.EncryptTripleDES(value)

SetCookie(key, value, expires)
End Sub


'SetEncryptedCookie(只针对密钥和Cookie数据)
Public Shared Sub SetEncryptedCookie(ByVal key As String, _
ByVal value As String)
key
= CryptoUtil.Encrypt(key)
value
= CryptoUtil.Encrypt(value)

SetCookie(key, value)
End Sub


'SetEncryptedCookie (增加了Cookie数据的有效期参数)
Public Shared Sub SetEncryptedCookie(ByVal key As String, _
ByVal value As String, ByVal expires As Date)
key
= CryptoUtil.Encrypt(key)
value
= CryptoUtil.Encrypt(value)

SetCookie(key, value, expires)
End Sub


'SetCookie (只针对密钥和Cookie数据)
Public Shared Sub SetCookie(ByVal key As String, ByVal value As String)
'编码部分
key = HttpContext.Current.Server.UrlEncode(key)
value
= HttpContext.Current.Server.UrlEncode(value)

Dim cookie As HttpCookie
cookie
= New HttpCookie(key, value)
SetCookie(cookie)
End Sub


'SetCookie(增加了Cookie数据的有效期参数)
Public Shared Sub SetCookie(ByVal key As String, _
ByVal value As String, ByVal expires As Date)
'编码部分
key = HttpContext.Current.Server.UrlEncode(key)
value
= HttpContext.Current.Server.UrlEncode(value)

Dim cookie As HttpCookie
cookie
= New HttpCookie(key, value)
cookie.Expires
= expires
SetCookie(cookie)
End Sub


'SetCookie (只针对HttpCookie)
Public Shared Sub SetCookie(ByVal cookie As HttpCookie)
HttpContext.Current.Response.Cookies.Set(cookie)
End Sub


'获取COOKIE *****************************************************

Public Shared Function GetTripleDESEncryptedCookieValue(ByVal key As String) _
As String
'只对密钥加密
key = CryptoUtil.EncryptTripleDES(key)

'获取Cookie值
Dim value As String
value
= GetCookieValue(key)
'解密Cookie值
value = CryptoUtil.DecryptTripleDES(value)
Return value
End Function


Public Shared Function GetEncryptedCookieValue(ByVal key As String) As String
'只对密钥加密
key = CryptoUtil.Encrypt(key)

'获取Cookie值
Dim value As String
value
= GetCookieValue(key)
'解密Cookie值
value = CryptoUtil.Decrypt(value)
Return value
End Function


Public Shared Function GetCookie(ByVal key As String) As HttpCookie
'编码密钥
key = HttpContext.Current.Server.UrlEncode(key)
Return HttpContext.Current.Request.Cookies.Get(key)
End Function


Public Shared Function GetCookieValue(ByVal key As String) As String
Try
'编码在GetCookie里完成
'获取Cookie值
Dim value As String
value
= GetCookie(key).Value
'解码所存储的值
value = HttpContext.Current.Server.UrlDecode(value)
Return value
Catch
End Try
End Function


End Class



以上代码是从网上取得,VS2005下测试OK,使用那种方法对Cookie进行加密就看你自己咯,使用很简单,只要在写入客户端前进行加密,在读取出来后再进行解密就OK了。(再附上一个C#加密Cookie的代码,和以上方法不同,按需选用吧) 
评论
  • Re:加密cookie防止给篡改的类  (2006/9/1 16:42:39) by 扬帆 
    很不错
  • Re:加密cookie防止给篡改的类  (2006/9/6 0:08:34) by williamyu 
    好东东!
  • Re:加密cookie防止给篡改的类  (2006/12/19 10:06:54) by zhangyifei 
    很不错,学习一下!
  • Re:加密cookie防止给篡改的类  (2007/1/24 20:59:38) by ciyo58 
    很好的文章,谢谢!
  • Re:加密cookie防止给篡改的类  (2007/5/11 8:43:57) by hy007 
    不错
  • Re:加密cookie防止给篡改的类  (2007/5/11 16:02:23) by childss 
    想下载 可是积分不够~~
  • Re:加密cookie防止给篡改的类  (2007/5/23 13:36:03) by enson 
    Good!
  • Re:加密cookie防止给篡改的类  (2007/9/6 14:39:21) by leellc 
    求助,有没有实现跨站点登录的好方法啊?有三个站点一个是php写的,一个是asp.net,一个是asp,现在要实现同步登录,有什么好办法
  • Re:加密cookie防止给篡改的类  (2007/11/23 16:49:53) by jixiudong 
    支持,正是我需要的
  • Re:加密cookie防止给篡改的类  (2009/9/15 15:14:00) by 阿貓 

    Vert good DD.....it's what i need, do you have c# version?hah...!!!!!

  • Re:加密cookie防止给篡改的类  (2010/7/30 17:02:43) by yujie 

    <p>呵,如果是前端,又如何能防止破戒?盗取依然可以啊</p>

标 题:
 
姓 名:
 
主 页:

验证码:

评论:
 

Because of the cache,you may see your comments several minutes later.