Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Security / October 2004

Tip: Looking for answers? Try searching our database.

Forms authentication / cookies

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Nils Magnus Englund - 21 Apr 2004 10:19 GMT
Hi!

I'm just curious about the use of cookies in forms authentication. The
username and roles are stored in the encrypted cookie, but if a user manages
to crack this cookie - will he be able to modify his own username and roles?
Why doesn't ASP.NET simply use an ordinary session, with nothing but a
session id to send to the client?

Sincerely,
Nils Magnus Englund
Reply to this Message
M. Burnett - 18 Oct 2004 20:14 GMT
If you use forms attribute protection="All" in the web.config, there is
little risk of someone being able to crack or modify their own cookie.
However, if a user ever obtains the machine key, they can create a valid
authentication cookie to authenticate as any user. For this reason you
should always have ASP.NET auto generate the machine key (set in
machine.config) rather than using a hard-coded key.

A related issue is that if you do not use the machine key attribute
IsolateApps in machine.config, a user could potentially create a cookie on
web site and use that to authenticate to another on the same machine.

ASP.NET does not maintain any session information on the server, and that
definitely has an effect on security. There are problems with doing that,
however, and I'm sure the ASP.NET team made a deliberate decision to do that
based on managing all their priorites.

I cover forms authentication and session tokens extensively in my new book,
"Hacking the Code" (ISBN: 1932266658) which should be available later this
month.

Mark Burnett
Windows Server MVP - IIS

> Hi!
>
[quoted text clipped - 6 lines]
> Sincerely,
> Nils Magnus Englund
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.