问题
In my website, I am not using any authentication or authorization. I've created login page to capture the user credentials and check against database. If the user successfully authenticates, it's storing the user data in session and navigating to other pages.
How thinking of implementing Forms Authentication, but my concern is how to secure the authentication token in client browser for security reasons. Does anyone have any ideas how to secure the authentication token?
回答1:
Session:
Fast, Scalable, and Secure Session State Management for Your Web Applications
Authentication:
How To: Protect Forms Authentication in ASP.NET 2.0
Step 1. Configure
Ensure that your forms authentication tickets are encrypted and integrity checked by setting protection="All" on the element. This is the default setting and you can view this in the Machine.config.comments file.
<forms protection="All" ... />
Step 2. Use SHA1 for HMAC Generation and AES for Encryption
<machineKey
validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
decryption="Auto"
validation="SHA1" />
Step 3. Protect Authentication Tickets with SSL
<forms loginUrl="Secure\Login.aspx"
requireSSL="true" ... />
来源:https://stackoverflow.com/questions/3266705/securing-asp-net-forms-authentication-token-on-client-side