Hello Joseph,
Good question. Improving security in ASP.NET form authentication is a hot issue. Forms authentication is one of the most
compelling and useful new features of ASP.NET. It enables developers to declaratively specify which files on their site can
be accessed and by whom, and allows identification of a login page. When an unauthenticated user attempts to retrieve a
page protected by forms authentication, ASP.NET automatically redirects them to the login page and asks them to identify
themselves.
I suggest you refer to this article:
"An Introductory Guide to Building and Deploying More Secure Sites with ASP.NET and IIS, Part 2"
http://msdn.microsoft.com/msdnmag/issues/02/05/ASPSec2/
Included here is an overview of forms authentication and what you need to know to put it to work. Also included is hard-to-find
information on the security of cookie authentication and on combining forms authentication with role-based URL
authorizations.
Hope that helps.
Best regards,
Yanhong Huang
Microsoft Online Partner Support
Get Secure! -
www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
!From: "Joseph" <
[email protected]>
!References: <
[email protected]> <
[email protected]>
!Subject: Re: authentication cookie vs session cookie
!Date: Mon, 11 Aug 2003 17:14:56 +0800
!Lines: 96
!X-Priority: 3
!X-MSMail-Priority: Normal
!X-Newsreader: Microsoft Outlook Express 6.00.2720.3000
!X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300
!Message-ID: <#F06Jk#
[email protected]>
!Newsgroups: microsoft.public.dotnet.framework.aspnet.security
!NNTP-Posting-Host: 210.176.53.73
!Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
!Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet.security:6207
!X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
!
!The reason I raised this question is that I am worried about the security
!level of using authentication cookies on the client machines. If the
!authentication cookie on a manager's machine is stolen and used on a client
!machine with lower privilege (e.g. operator's machine) on the same intranet,
!will the operator be able to access the privileges granted to the manager? I
!am assuming all the user roles information are stored in the authentication
!cookie.
!
!Thanks.
!Joseph
!
!!> Hello Joseph,
!>
!> Thanks for posting here.
!>
!> Indeed. Forms authentication is a flexible, scalable and secure system for
!> doing 'cookie' authentication (effectively what you are doing when you use
!> session variables as it relies on the session cookie that ASP.NET sends to
!> the client). A big advantage is that it allows you to persist information
!> by storing it in an encrypted authentication cookie - this is much better
!> in terms of scalability than using a session variable for each user (you
!> can use it across a webfarm without significant changes).
!>
!> Another big advantage of using Forms authentication is that it slots into
!> the rest of the ASP.NET Security framework. This means that code for
!> authentication and authorization works together is a logical way and new
!> code can be slotted in really easily.
!>
!> In general, Session Cookie and Forms Auth cookie are independant and you
!> have to find the logic to achieve what you want.
!> Rather than trying to sync. these 2 timeouts, try logging out the user if
!> the session times out.
!>
!> 1. You can handle one of the events after the sessionState is hooked up
!and
!> check to see if the session is new and if the user is authenticated. If
!so,
!> call the logout method and redirect to loging page.
!> 2. Another way is to set a session variable and check on every page to see
!> if the session variable exists and also the user is authenticated. If not,
!> redirect the user to the login page by calling the LogOut method.
!>
!> Please post here if you have any more concerns.
!>
!> Best regards,
!> Yanhong Huang
!> Microsoft Online Partner Support
!>
!> Get Secure! -
www.microsoft.com/security
!> This posting is provided "AS IS" with no warranties, and confers no
!rights.
!>
!> --------------------
!> !From: "Joseph" <
[email protected]>
!> !Subject: authentication cookie vs session cookie
!> !Date: Fri, 8 Aug 2003 15:52:50 +0800
!> !Lines: 17
!> !X-Priority: 3
!> !X-MSMail-Priority: Normal
!> !X-Newsreader: Microsoft Outlook Express 6.00.2720.3000
!> !X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300
!> !Message-ID: <
[email protected]>
!> !Newsgroups: microsoft.public.dotnet.framework.aspnet.security
!> !NNTP-Posting-Host: 210.176.53.73
!> !Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
!> !Xref: cpmsftngxa06.phx.gbl
!> microsoft.public.dotnet.framework.aspnet.security:6178
!> !X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
!> !
!> !Hi,
!> !
!> !What are the differences between authentication and session cookies? In
!my
!> !web.config file, I set the cookieless attribute for the sessionState
!> element
!> !to false. Why do we need 2 different types of cookies? Is the session
!> !cookie enough for authentication purpose?
!> !
!> !I do feel uncomfortable to maintain 2 different timeouts (form
!> !authentication cookie and session) in the web.config file. Is it possible
!> to
!> !keep both in sync (i.e. make authentication cookie expires at the same
!time
!> !the session expires)?
!> !
!> !Thanks.
!> !
!> !Joseph
!> !
!> !
!> !
!>
!
!
!