[转载]HttpSecureCookie (一种加密ASP.NET 2.0的Cookies的方法)(页 1) - 脚本程序设计{ All Kinds of Scripts } - 月之引力[ ASP ] - 邪恶八进制信息安全团队技术讨论组努力为祖国的信息安全撑起一片蓝天

EvilOctal 2006-4-15 19:07

[转载]HttpSecureCookie (一种加密ASP.NET 2.0的Cookies的方法)

原始连接：<A href="http://www.codeproject.com/aspnet/HttpSecureCookie.asp">[url]http://www.codeproject.com/aspnet/HttpSecureCookie.asp[/url]</A> 
<H2>Introduction</H2>
I really have some good laughs when I tamper with cookies on my machine and watch the results when it is submitted back to the site. On the other hand, I don’t want any one to do the same to the cookies that I make!
Cookies, most of the times, shouldn’t be in plain text, at least, they should be tamper-proof! Revealing the content of your cookies might give curious and malicious people an idea about your application’s architecture, and that might help hacking it.
ASP.NET encodes and hashes its authorization ticket, making it secure and tamper-proof. However, the methods used to secure authorization cookies are inaccessible from outside the .NET framework libraries, so you can’t protect your own cookie using these methods; you need to protect it yourself using your own encryption key, encoding and hashing algorithms. <CODE>HttpSecureCookie</CODE> works around this by accessing the same methods ASP.NET uses for cookie authorization.
Of course, you shouldn’t save valuable information in your cookies, but if you have to, then this library is at your disposal.
<H2>Background</H2>
Before you start using this code, if you do not know what <CODE>MachineKey</CODE> is, I highly recommend checking this MSDN article: <A href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000007.asp" target=_blank>How To: Configure MachineKey in ASP.NET 2.0</A>.
ASP.NET uses the <CODE>System.Web.Security.CookieProtectionHelper</CODE> internal class to decode and encode the content of a cookie before submitting it to the client. This class is based on the <CODE>MachineKey</CODE>. I wonder why Microsoft kept this class internal!?
To be able to access this internal class, I had to use reflection to be able to access the <CODE>Decode</CODE> and <CODE>Encode</CODE> methods of <CODE>CookieProtectionHelper</CODE>.
Eric Newton has a similar and good article on CP: <A href="http://www.codeproject.com/aspnet/HttpCookieEncryption.asp" target=_blank>Encrypting cookies to prevent tampering</A>. However, that code is made for .NET 1.1 and it doesn't work with .NET 2.0 (but it does with some modifications); moreover, its resulting cipher text is in binary format versus being in encrypted format, and I don't know if this is a security risk. Also, I am accessing a higher level class <CODE>System.Web.Security.CookieProtectionHelper</CODE> than the one used by that article, <CODE>System.Web.Configuration.MachineKey</CODE>, to obtain the cryptography service, and that saved me time by not writing some low level code.
There is also another available method for encoding cookies, by using the <CODE>FormsAuthenticationTicket</CODE> and <CODE>FormsAuthentication.Encrypt</CODE>; for more information, check the section "Creating the Forms Authentication Cookie" on <A href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGExplained0002.asp" target=_blank>Explained: Forms Authentication in ASP.NET 2.0</A>. However, I believe, the method mentioned in this article is more flexible.
<H2>Obtaining Reference to the CookieProtectionHelper Class via Reflection</H2>
To be able to access <CODE>System.Web.Security.CookieProtectionHelper</CODE>, I had to create a wrapper class <CODE>CookieProtectionHelperWrapper</CODE> which uses reflection to obtain a reference to the underlying methods and exposes the same methods as of the original class:<PRE lang=cs>public static class CookieProtectionHelperWrapper {

private static MethodInfo _encode;
private static MethodInfo _decode;

static CookieProtectionHelperWrapper() {
 // obtaining a reference to System.Web assembly
 Assembly systemWeb = typeof(HttpContext).Assembly;
 if (systemWeb == null) {
 throw new InvalidOperationException(
 "Unable to load System.Web.");
 }
 // obtaining a reference to the internal class CookieProtectionHelper
 Type cookieProtectionHelper = systemWeb.GetType(
 "System.Web.Security.CookieProtectionHelper");
 if (cookieProtectionHelper == null) {
 throw new InvalidOperationException(
 "Unable to get the internal class CookieProtectionHelper.");
 }
 // obtaining references to the methods of CookieProtectionHelper class
 _encode = cookieProtectionHelper.GetMethod(
 "Encode", BindingFlags.NonPublic | BindingFlags.Static);
 _decode = cookieProtectionHelper.GetMethod(
 "Decode", BindingFlags.NonPublic | BindingFlags.Static);

 if (_encode == null || _decode == null) {
 throw new InvalidOperationException(
 "Unable to get the methods to invoke.");
 }
}

public static string Encode(CookieProtection cookieProtection,
 byte[] buf, int count) {
 return (string)_encode.Invoke(null,
 new object[] { cookieProtection, buf, count });
}

public static byte[] Decode(CookieProtection cookieProtection,
 string data) {
 return (byte[])_decode.Invoke(null,
 new object[] { cookieProtection, data });
}

}</PRE>
<H2>MachineKeyCryptography: A Cryptography Class Based on MachineKey</H2>
<CODE>MachineKeyCryptography</CODE> is a static class that provides text ciphering and tamper-proofing services, it provides higher level access to <CODE>CookieProtectionHelperWrapper</CODE>. So, if you want to cipher any text based on the machine key, this class is the right one to use.<PRE lang=cs>public static string Encode(string text, CookieProtection cookieProtection) {
if (string.IsNullOrEmpty(text) || cookieProtection == CookieProtection.None) {
 return text;
}
byte[] buf = Encoding.UTF8.GetBytes(text);
return CookieProtectionHelperWrapper.Encode(cookieProtection, buf, buf.Length);
}

public static string Decode(string text, CookieProtection cookieProtection) {
if (string.IsNullOrEmpty(text)) {
 return text;
}
byte[] buf;
try {
 buf = CookieProtectionHelperWrapper.Decode(cookieProtection, text);
}
catch(Exception ex) {
 throw new InvalidCypherTextException(
 "Unable to decode the text", ex.InnerException);
}
if (buf == null || buf.Length == 0) {
 throw new InvalidCypherTextException(
 "Unable to decode the text");
}
return Encoding.UTF8.GetString(buf, 0, buf.Length);
}</PRE>
<H2>HttpSecureCookie Class</H2>
This static class will handle the service of securing the content of a cookie. Also, it provides a service to clone a cookie. This class uses <CODE>MachineKeyCryptography</CODE> internally to provide crypting services:<PRE lang=cs>public static class HttpSecureCookie {

public static HttpCookie Encode(HttpCookie cookie) {
 return Encode(cookie, CookieProtection.All);
}

public static HttpCookie Encode(HttpCookie cookie,
 CookieProtection cookieProtection) {
 HttpCookie encodedCookie = CloneCookie(cookie);
 encodedCookie.Value =
 MachineKeyCryptography.Encode(cookie.Value, cookieProtection);
 return encodedCookie;
}

public static HttpCookie Decode(HttpCookie cookie) {
 return Decode(cookie, CookieProtection.All);
}

public static HttpCookie Decode(HttpCookie cookie,
 CookieProtection cookieProtection) {
 HttpCookie decodedCookie = CloneCookie(cookie);
 decodedCookie.Value =
 MachineKeyCryptography.Decode(cookie.Value, cookieProtection);
 return decodedCookie;
}

public static HttpCookie CloneCookie(HttpCookie cookie) {
 HttpCookie clonedCookie = new HttpCookie(cookie.Name, cookie.Value);
 clonedCookie.Domain = cookie.Domain;
 clonedCookie.Expires = cookie.Expires;
 clonedCookie.HttpOnly = cookie.HttpOnly;
 clonedCookie.Path = cookie.Path;
 clonedCookie.Secure = cookie.Secure;

 return clonedCookie;
}
}</PRE>
<H2>Using the Code</H2>
Using <CODE>HttpSecureCookie</CODE> is easy; for a complete demo, please check the sample application. To encode a cookie:<PRE lang=cs>HttpCookie cookie = new HttpCookie("UserName", "Terminator");
cookie.Expires = DateTime.Now.AddDays(1);
HttpCookie encodedCookie = HttpSecureCookie.Encode(cookie);
Response.Cookies.Add(encodedCookie);</PRE>
To decode an encoded cookie:<PRE lang=cs>HttpCookie cookie = Request.Cookies["UserName"];
lblDisplayBefore.Text = cookie.Value;
HttpCookie decodedCookie = HttpSecureCookie.Decode(cookie);</PRE>
To use <CODE>HttpSecureCookie</CODE> on a web farm, you need to set the correct <CODE>MachineKey</CODE> configuration in Web.Config. For more information, check the "Web Farm Deployment Considerations" section on <A href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000007.asp" target=_blank>How To: Configure MachineKey in ASP.NET 2.0</A>. To generate a machine key, please check <A href="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q312906" target=_blank>How to create keys by using Visual C# .NET for use in Forms authentication</A>.
<H2>Limitations</H2>
This library uses reflection, so it might break with the next version of .NET. Also, it doesn't work with .NET 1.1.
Reflection might have some performance implication; however, I used an assembly that is already loaded, "System.Web.dll", and I am only using reflection once across the life time of the application, to gain extra performance.
<H2>Conclusion</H2>
If you don't want a sophisticated cookie encryption service, if you don't want to mind the encryption key, and if you don't want to create your own encryption algorithm, then this library is for you!
Comments and suggestions are welcome. Please vote if you like this article (or if you didn't).
<H2>History</H2>
<UL>
<LI>1 April 2006 - First version. </LI></UL>
<H2>About Adam Tibi</H2>
<TABLE width="100%" border=0>
<TBODY>
<TR vAlign=top>
<TD class=smallText noWrap><IMG src="http://www.codeproject.com/script/profile/images/{1CD9697B-AEF9-4ADC-8119-2A14A87E73B6}.gif"> </TD>
<TD class=smallText width="100%">New technology addict and C# fan. Started developing commercial applications in 2000 with VB6 and MFC then moved to VB.NET, landed on C# and ASP.NET and never looked back. Currently focusing on enterprise architecture, design patterns, web controls and web services. In his free time, he likes playing chess, going to gym and discovering new places with his lovely wife. Lives in Guildford, UK and is a senior developer at <A href="http://www.yourinsurance.co.uk/" target=_blank>Your Insurance</A>!
Click <A href="http://www.codeproject.com/script/profile/whos_who.asp?vt=arts&id=582839">here</A> to view Adam Tibi's online profile.</TD></TR></TBODY></TABLE>

页: [1]

邪恶八进制信息安全团队技术讨论组's Archiver

[转载]HttpSecureCookie (一种加密ASP.NET 2.0的Cookies的方法)