Menu
If an attacker copied the authentication cookie that is placed in the SetAuthCookie call, from the victims PC to their PC, would the attacker be considered authenticated by the web application?
public static void SetAuthCookie(
string userName,
bool createPersistentCookie
)
Using standard forms authentication FormsAuthentication.SetAuthCookie and the argument createPersistentCookie = false
Assume this for web configuration settings
<authentication mode="Forms">
<forms name="MyWebApp" path="/" loginUrl="~/Default.aspx"
timeout="30" defaultUrl="~/Default.aspx" protection="All"
requireSSL="true" />
</authentication>
428
asked Dec 06 '25 19:12
Yes; ASP.Net does not include the IP address in auth cookies. (and that wouldn't even help for shared WiFi or proxies)
However, since you have requireSSL="true", attackers will (in principle) not be able to get that cookie. (unless they have access to the server or the client, in which case you have bigger problems)
This is why you should always use SSL.
199
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
