Menu
I have an ASP.NET web application using forms membership authentication. We have recently been penetration tested and an issue that was flagged was the ability to steal a users account. If the .ASPXAUTH cookie value was copied from a user before logging out a user could log in as a different user, edit their cookie to match the copied value and get all of their privileged.
On logging out I have tried:
Removing the cookie. I could successfully do this but it doesn't invalidate the FormsAuthenticationTicket.
Using FormsAuthentication.SignOut() but found it does not prevent the attack
I personally dont see this as a problem, I believe the only way it could be stolen is if a use manages to gain access to an authenticated user this said I need to fix this problem to appease the penetration testers.
Any ideas would be greatly appreciated! Thanks
934
On logging out I have tried: Removing the cookie.
I could successfully do this but it doesn't invalidate the FormsAuthenticationTicket.
Actually when you remove the cookie, you remove it from your user - you can not de-activate it, so if some one get it, he can still use it.
The solutions can be:
Read more about also here: Can some hacker steal the cookie from a user and login with that name on a web site?
and Form Authentication - Cookie replay attack - protection
and http://support.microsoft.com/default.aspx?scid=kb;en-us;900111
196
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
