Menu
I'm working on an application which uses the Session variable to keep track of users, checking on the master page for it's existence otherwise knocking them out to login. I wanted to change this over to Form Authentication as I read it was more secure and the data is encrypted.
Can someone tell me what data is actually encrypted? I tried setting up Forms Authentication on my site, it works fine, users are being tracked properly and can't access pages without logging in. However, when I look at the Request Body, using Fiddler, I see all the forms fields and there content. Can't a hacker use that to change the data and resubmit the request, like they would with a cookie generated from a Session variable? This application is not using SSL, so I understand SSL would encrypt the body, but I thought that's what Forms Authentication would do also. Otherwise what does it encrypt, just the Session ID in the cookie?
Here is the code I was using:
<authentication mode="Forms">
<forms loginUrl="default.aspx" name=".ASPXFORMSAUTH_Test" defaultUrl="home.aspx" protection="All"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
in the login page I tried to manually create the cookie:
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
txtEmail.Text,
DateTime.Now,
DateTime.Now.AddMinutes(30),
false,
txtEmail.Text,
FormsAuthentication.FormsCookiePath);
// Encrypt the ticket.
string encTicket = FormsAuthentication.Encrypt(ticket);
// Create the cookie.
Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, encTicket));
// Redirect back to original URL.
Response.Redirect(FormsAuthentication.GetRedirectUrl(txtEmail.Text, false));
I had also tried:
FormsAuthentication.RedirectFromLoginPage(txtEmail.Text, false);
eariler, got the same results, request body in Fiddler shows all fields being submitted and their contents.
710
What about Forms Authentication? Forms Authentication is the most common authentication mechanism for ASP.NET web sites. When a user is authenticated, most commonly using a user ID and password, a Forms Authentication cookie is generated and is sent to the browser (the name of the cookie, by default, is .ASPXAUTH ).
The Session and Token-based Authentication methods are used to make a server trust any request sent by an authenticated user over the internet. In this way, a user can interact with their account without continually specifying their credentials.
FormsAuthenticationModule – authenticates the user by inspecting the forms authentication ticket, which is typically included in the user's cookies collection. If no forms authentication ticket is present, the user is anonymous. UrlAuthorizationModule – determines whether or not the current user is authorized to access the requested URL.
After logging in, the forms authentication ticket must be sent back to the web server on each request so that the user remains logged in as they browse the site. This is typically accomplished by placing the authentication ticket in the user's cookies collection.
Switching your approach to Forms Authentication will not make it more secure. It will mean that you will be using a more standardized authentication mechanism so that it is easier to audit your software for authentication-related issues.
Also FormsAuthentication usually is able to work even when the Session expires for the user (or application pool recycles) since it stores the user data in an encrypted cookie with its own expiration policy.
192
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
