J
Jeffrey
Thinking about my application, I am worried about an exploit that I am not
proficient enough to test. Can a user use a set of roles (fully encrypted
cookie) gained by logging in on one account and pass it to another session
with a different logon. That could make an "account administrator" of a small
account an "account administrator" of a large account for which she may only
be an "account user".
If this is true, it is a major flaw in asp.net. I am going to attempt to
block this exploit by storing the user id with a prefix as if it is a role
and verify that it is there. This is rather kludgy.
proficient enough to test. Can a user use a set of roles (fully encrypted
cookie) gained by logging in on one account and pass it to another session
with a different logon. That could make an "account administrator" of a small
account an "account administrator" of a large account for which she may only
be an "account user".
If this is true, it is a major flaw in asp.net. I am going to attempt to
block this exploit by storing the user id with a prefix as if it is a role
and verify that it is there. This is rather kludgy.