Authentication cookie security

Discussion in 'ASP .Net Security' started by Kirsten, Aug 13, 2009.

  1. Kirsten

    Kirsten Guest

    I'm using Form authentication with Cookies and I'm reading about replay
    attacks.
    Is there any way besides using SSL to protect the cookie?

    Comparing other systems: how does Hotmail handle this feature? For example,
    I login using SSL to read my mail but then Hotmails switches to HTTP. So,
    anyone can take my cookie and read my mail?

    Thanks a lot.
     
    Kirsten, Aug 13, 2009
    #1
    1. Advertising

  2. A good read to start with is Foundstone's ASP.NET Autentication white paper:
    http://bit.ly/10o9xL

    It has many techniques to reduce your exposure. In general, if you are using
    SSL for the cookie, it will always be passed back SSL. This is done in web
    config by setting the requireSSL to true. You should also consider setting
    protection to ALL so the actual data is protected. With the two, you have
    greatly reduced the footprint. It is also useful to avoid any user data on
    the client side, which can be done quite easily by using the Membership bits
    (even if yours are customized).

    The Foundstone white paper has suggestions on pages 9-10 to help you make
    things more secure. Using their guidelines, you should make your footprint
    small enough to avoid casual hacker, and even most routine hackers.
    Depending on your site, this is probably enough.

    Further security? An IP address added to the session check makes an even
    smaller vector. As IPs can be spoofed, as well, it only reduces the vector.
    But making the target smaller certainly makes it harder to hit and requires
    the hacker have more experience.

    --
    Gregory A. Beamer
    MVP; MCP: +I, SE, SD, DBA

    Twitter: @gbworld
    Blog: http://gregorybeamer.spaces.live.com

    ********************************************************
    | Think outside the box! |
    ********************************************************

    "Kirsten" <> wrote in message
    news:#...
    > I'm using Form authentication with Cookies and I'm reading about replay
    > attacks.
    > Is there any way besides using SSL to protect the cookie?
    >
    > Comparing other systems: how does Hotmail handle this feature? For
    > example, I login using SSL to read my mail but then Hotmails switches to
    > HTTP. So, anyone can take my cookie and read my mail?
    >
    > Thanks a lot.
     
    Cowboy \(Gregory A. Beamer\), Aug 15, 2009
    #2
    1. Advertising

  3. Kirsten

    Joe Kaplan Guest

    > I'm using Form authentication with Cookies and I'm reading about replay
    > attacks.
    > Is there any way besides using SSL to protect the cookie?
    >


    SSL doesn't protect against replay attacks per say but instead encrypts the
    channel to make snooping by an outsider much more difficult. If the
    outsider was able to steal your forms auth cookie through another mechanism
    like a cross site scripting attack, the SSL no longer does you any good as
    the attacker will replay the cookie using SSL.

    > Comparing other systems: how does Hotmail handle this feature? For
    > example, I login using SSL to read my mail but then Hotmails switches to
    > HTTP. So, anyone can take my cookie and read my mail?
    >


    Hotmail is not protecting your cookie from snooping at all and is likely to
    have issues with replay attacks. By not using SSL consistently, they are
    essentially not taking the security of your email data very seriously.

    It is common in systems that are more well-designed to try to add additional
    barriers to replay attacks. For example, it is common to add message
    authenticate codes (MACs) to these cookies to ensure they cannot be modified
    and to also include additional data about the browser on the other end such
    as the source IP address.

    Unfortunately, clever attackers can spoof the source IP address and make the
    replay look like it came from the exact same place on the public internet
    that the original request came from. Adding source IP data to the cookie
    raises the bar but does not prevent the whole issue.

    > Thanks a lot.


    If you are serious about security for your site, you will use SSL
    exclusively. Even a simple redirect from HTTP to HTTPS makes you
    succeptible to attacks like "sslstrip" as detailed by Moxie Marlinspike in
    his recent BlackHat presentation which you can view on the web if you do
    some searches for it.


    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "Kirsten" <> wrote in message
    news:%...
    > I'm using Form authentication with Cookies and I'm reading about replay
    > attacks.
    > Is there any way besides using SSL to protect the cookie?
    >
    > Comparing other systems: how does Hotmail handle this feature? For
    > example, I login using SSL to read my mail but then Hotmails switches to
    > HTTP. So, anyone can take my cookie and read my mail?
    >
    > Thanks a lot.
     
    Joe Kaplan, Aug 16, 2009
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ben
    Replies:
    3
    Views:
    5,931
    Steven Cheng[MSFT]
    Jun 3, 2004
  2. Kirsten

    Authentication cookie security

    Kirsten, Aug 13, 2009, in forum: ASP .Net
    Replies:
    1
    Views:
    343
    Cowboy \(Gregory A. Beamer\)
    Aug 15, 2009
  3. Joseph

    authentication cookie vs session cookie

    Joseph, Aug 8, 2003, in forum: ASP .Net Security
    Replies:
    4
    Views:
    409
    Yan-Hong Huang[MSFT]
    Aug 12, 2003
  4. rgouge

    Forms Authentication and Authentication Cookie

    rgouge, Jun 20, 2005, in forum: ASP .Net Security
    Replies:
    3
    Views:
    251
    Dominick Baier [DevelopMentor]
    Jun 20, 2005
  5. Eric
    Replies:
    2
    Views:
    645
Loading...

Share This Page