We've noticed that it's possible to recreate a copy of an ASP.NET FormsAuthentication cookie on another machine, allowing the second machine to authenticate without needing to log in.
One suggested solution to this has been to store the session ID within FormsAuthenticationTicket.UserData
and to check that the two values match inside Application_AuthenticateRequest()
.
We're using:
FormsAuthenticationTicket.IsPersistent = false;
Is this approach of associating FormsAuthentication cookie with the session ID a good idea?
The SetAuthCookie method adds a forms-authentication ticket to either the cookies collection, or to the URL if CookiesSupported is false . The forms-authentication ticket supplies forms-authentication information to the next request made by the browser.
Figure 30–3 Form-Based Authentication Examples of login and error pages are shown in Creating the Login Form and the Error Page. Form-based authentication is not particularly secure. In form-based authentication, the content of the user dialog box is sent as plain text, and the target server is not authenticated.
The ASPXAUTH cookie is used to determine if a user is authenticated. As far as the location of the cookie, that depends on your browser. If you are using Firefox you can view the cookie by clicking on Tools -> Options -> Privacy. Then scroll down to the domain and expand it to see the cookie and its value.
Asp.net provides classes and methods that ensure that the application is secure from outside attacks. In this article we will investigate the different types of authentication provided by ASP.Net. In web. config file you can set authentication mode value 'windows' or 'forms'.
I think that you are overthinking the problem. The ability to copy a cookie is just an inherent problem of cookies - anyone can intercept any cookie and impersonate whatever data is in there by setting it up on another machine.
The "security" of the authentication cookie comes from the fact that no one can (supposedly) craft the cookie by hand to fake an authenticated user. However, once the cookie is created, of course it can be used for authentication. This means that in order for your "problem" to happen, you still need to have a valid user log in first. If that user is abusing the system by copying his cookie to other machines to give everyone access, it's exactly the same thing as the user just telling everyone her username and password, except far more obtuse. Therefore, the problem isn't the copying of the cookie - it's the user herself.
Another attack vector would be if the network is compromised and someone can intercept the traffic to piece together the cookie via a sniffer or whatever - but again, this is inherent with cookies themselves. This is called Session Hijacking, and the only way to protect against this is to use SSL for your site.
If you're really worried about it, I'd just set your authentication and session timeouts to be the same, and then in your global.asax file, simply call FormsAuthentication.Signout() whenever the user's session expires. This invalidates the authentication whenever the user is done their session, forcing them to log in again later. Of course, this might be an extreme annoyance to your users...
I would also highly recommend This MSDN article. It probably answers your questions a lot better than I can.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With