Cookies question

Discussion in 'ASP .Net Security' started by Joe Fallon, Mar 22, 2005.

  1. Joe Fallon

    Joe Fallon Guest

    I use forms authentication for my app.
    After I log in successfully each request by the browser contains 2 cookies.
    One for the SessionID and one for forms authentication which contains my
    ticket.

    Can someone please explain where these cookies are stored? I think it is in
    memory in the browser but am not sure.

    Also, some users have stated that they can do the following:
    1. Start a browser, hit the site and log in.
    2. Start a 2nd browser.
    3. Hit the site.
    4. BYPASS the log in page and go directly to the Home page.

    They claim they can also close all browser sessions, start a new one and
    still Bypass the log in page.

    How is this possible?
    Why would the 2nd browser session have the cookies noted above?

    I assume once the authenctication ticket expires in 30 minutes of inactivity
    that neither scenario would be possible. They would have to re-log in first.

    Thanks for any info on this.
    --
    Joe Fallon
    Joe Fallon, Mar 22, 2005
    #1
    1. Advertising

  2. Hello Joe,

    cookie storage depends - if it is a temporary cookie it is only store in
    browser memory and delete when you shut down the process - persistent cookies
    are stored in the user profile.

    So when do you deal with persistent and when with temporary...

    a cookie that has an expiration time in the future is persisten until that
    point of time.

    In FormsAuthentication - when you use RedirectFromLoginPage - the last parameter
    is a boolean - if true the cookie is persistent (some silly timespan like
    50 years in the future), if false you will end up with a temp cookie.

    When you use persistent cookies, the behaviour with the 2nd browser window
    is like you described it

    Always use temp cookies - you don't want digital ids of your webapp stored
    on a clients machine, do you?

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > I use forms authentication for my app.
    > After I log in successfully each request by the browser contains 2
    > cookies.
    > One for the SessionID and one for forms authentication which contains
    > my
    > ticket.
    > Can someone please explain where these cookies are stored? I think it
    > is in memory in the browser but am not sure.
    >
    > Also, some users have stated that they can do the following:
    > 1. Start a browser, hit the site and log in.
    > 2. Start a 2nd browser.
    > 3. Hit the site.
    > 4. BYPASS the log in page and go directly to the Home page.
    > They claim they can also close all browser sessions, start a new one
    > and still Bypass the log in page.
    >
    > How is this possible?
    > Why would the 2nd browser session have the cookies noted above?
    > I assume once the authenctication ticket expires in 30 minutes of
    > inactivity that neither scenario would be possible. They would have to
    > re-log in first.
    >
    > Thanks for any info on this.
    >
    Dominick Baier [DevelopMentor], Mar 23, 2005
    #2
    1. Advertising

  3. Joe Fallon

    Joe Fallon Guest

    Dominick,
    Thanks for the response.

    I use temp cookies because I use code like this:
    Web.Security.FormsAuthentication.RedirectFromLoginPage(UID, False)

    I think it is related to spawning a 2nd browser session from the first by
    using Ctrl-N.
    In this case the 2nd browser instance "inherits" the in memory cookies from
    the first.

    The users were using a link to an Intranet site - maybe this link had the
    same effect by spawning a 2nd instance from the first somehow.

    I guess what I don't understand is how they can close all browser instances
    and then click this link and still bypass the log in page. If the cookie is
    temporary and in memory, isn't it destroyed when browser is closed?
    Or is it really stored on disk somewhere until it expires? (I could not find
    it and a re-boot makes it disappear.)

    Thanks for any more input.

    --
    Joe Fallon



    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello Joe,
    >
    > cookie storage depends - if it is a temporary cookie it is only store in
    > browser memory and delete when you shut down the process - persistent

    cookies
    > are stored in the user profile.
    >
    > So when do you deal with persistent and when with temporary...
    >
    > a cookie that has an expiration time in the future is persisten until that
    > point of time.
    >
    > In FormsAuthentication - when you use RedirectFromLoginPage - the last

    parameter
    > is a boolean - if true the cookie is persistent (some silly timespan like
    > 50 years in the future), if false you will end up with a temp cookie.
    >
    > When you use persistent cookies, the behaviour with the 2nd browser window
    > is like you described it
    >
    > Always use temp cookies - you don't want digital ids of your webapp stored
    > on a clients machine, do you?
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > I use forms authentication for my app.
    > > After I log in successfully each request by the browser contains 2
    > > cookies.
    > > One for the SessionID and one for forms authentication which contains
    > > my
    > > ticket.
    > > Can someone please explain where these cookies are stored? I think it
    > > is in memory in the browser but am not sure.
    > >
    > > Also, some users have stated that they can do the following:
    > > 1. Start a browser, hit the site and log in.
    > > 2. Start a 2nd browser.
    > > 3. Hit the site.
    > > 4. BYPASS the log in page and go directly to the Home page.
    > > They claim they can also close all browser sessions, start a new one
    > > and still Bypass the log in page.
    > >
    > > How is this possible?
    > > Why would the 2nd browser session have the cookies noted above?
    > > I assume once the authenctication ticket expires in 30 minutes of
    > > inactivity that neither scenario would be possible. They would have to
    > > re-log in first.
    > >
    > > Thanks for any info on this.
    > >

    >
    >
    >
    Joe Fallon, Mar 23, 2005
    #3
  4. Hello Joe,

    if you can close down all browser windows and with a new one bypass the login
    then you _have_ to have some peristence going on. this is the only explanation
    - maybe somehting with you session cookie??

    check your code and inspect the http communication by using a tool like fiddler
    (www.fiddlertool.com).

    HTH

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Dominick,
    > Thanks for the response.
    > I use temp cookies because I use code like this:
    > Web.Security.FormsAuthentication.RedirectFromLoginPage(UID, False)
    > I think it is related to spawning a 2nd browser session from the first
    > by
    > using Ctrl-N.
    > In this case the 2nd browser instance "inherits" the in memory cookies
    > from
    > the first.
    > The users were using a link to an Intranet site - maybe this link had
    > the same effect by spawning a 2nd instance from the first somehow.
    >
    > I guess what I don't understand is how they can close all browser
    > instances
    > and then click this link and still bypass the log in page. If the
    > cookie is
    > temporary and in memory, isn't it destroyed when browser is closed?
    > Or is it really stored on disk somewhere until it expires? (I could
    > not find
    > it and a re-boot makes it disappear.)
    > Thanks for any more input.
    >
    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> Hello Joe,
    >>
    >> cookie storage depends - if it is a temporary cookie it is only store
    >> in browser memory and delete when you shut down the process -
    >> persistent
    >>

    > cookies
    >
    >> are stored in the user profile.
    >>
    >> So when do you deal with persistent and when with temporary...
    >>
    >> a cookie that has an expiration time in the future is persisten until
    >> that point of time.
    >>
    >> In FormsAuthentication - when you use RedirectFromLoginPage - the
    >> last
    >>

    > parameter
    >
    >> is a boolean - if true the cookie is persistent (some silly timespan
    >> like 50 years in the future), if false you will end up with a temp
    >> cookie.
    >>
    >> When you use persistent cookies, the behaviour with the 2nd browser
    >> window is like you described it
    >>
    >> Always use temp cookies - you don't want digital ids of your webapp
    >> stored on a clients machine, do you?
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> I use forms authentication for my app.
    >>> After I log in successfully each request by the browser contains 2
    >>> cookies.
    >>> One for the SessionID and one for forms authentication which
    >>> contains
    >>> my
    >>> ticket.
    >>> Can someone please explain where these cookies are stored? I think
    >>> it
    >>> is in memory in the browser but am not sure.
    >>> Also, some users have stated that they can do the following:
    >>> 1. Start a browser, hit the site and log in.
    >>> 2. Start a 2nd browser.
    >>> 3. Hit the site.
    >>> 4. BYPASS the log in page and go directly to the Home page.
    >>> They claim they can also close all browser sessions, start a new one
    >>> and still Bypass the log in page.
    >>> How is this possible?
    >>> Why would the 2nd browser session have the cookies noted above?
    >>> I assume once the authenctication ticket expires in 30 minutes of
    >>> inactivity that neither scenario would be possible. They would have
    >>> to
    >>> re-log in first.
    >>> Thanks for any info on this.
    >>>
    Dominick Baier [DevelopMentor], Mar 24, 2005
    #4
  5. Speaking of tools for debugging HTTP, also check out IEHttpHeaders. It
    doesn't do as much as Fiddler, but it works over SSL (which Fiddler doesn't
    the last time I checked) and does show you cookies info (since they are
    headers). This is one of my favorite tools these days.

    Joe K.

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello Joe,
    >
    > if you can close down all browser windows and with a new one bypass the
    > login then you _have_ to have some peristence going on. this is the only
    > explanation - maybe somehting with you session cookie??
    >
    > check your code and inspect the http communication by using a tool like
    > fiddler (www.fiddlertool.com).
    >
    > HTH
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Dominick,
    >> Thanks for the response.
    >> I use temp cookies because I use code like this:
    >> Web.Security.FormsAuthentication.RedirectFromLoginPage(UID, False)
    >> I think it is related to spawning a 2nd browser session from the first
    >> by
    >> using Ctrl-N.
    >> In this case the 2nd browser instance "inherits" the in memory cookies
    >> from
    >> the first.
    >> The users were using a link to an Intranet site - maybe this link had
    >> the same effect by spawning a 2nd instance from the first somehow.
    >>
    >> I guess what I don't understand is how they can close all browser
    >> instances
    >> and then click this link and still bypass the log in page. If the
    >> cookie is
    >> temporary and in memory, isn't it destroyed when browser is closed?
    >> Or is it really stored on disk somewhere until it expires? (I could
    >> not find
    >> it and a re-boot makes it disappear.)
    >> Thanks for any more input.
    >>
    >> "Dominick Baier [DevelopMentor]"
    >> <> wrote in message
    >> news:...
    >>
    >>> Hello Joe,
    >>>
    >>> cookie storage depends - if it is a temporary cookie it is only store
    >>> in browser memory and delete when you shut down the process -
    >>> persistent
    >>>

    >> cookies
    >>
    >>> are stored in the user profile.
    >>>
    >>> So when do you deal with persistent and when with temporary...
    >>>
    >>> a cookie that has an expiration time in the future is persisten until
    >>> that point of time.
    >>>
    >>> In FormsAuthentication - when you use RedirectFromLoginPage - the
    >>> last
    >>>

    >> parameter
    >>
    >>> is a boolean - if true the cookie is persistent (some silly timespan
    >>> like 50 years in the future), if false you will end up with a temp
    >>> cookie.
    >>>
    >>> When you use persistent cookies, the behaviour with the 2nd browser
    >>> window is like you described it
    >>>
    >>> Always use temp cookies - you don't want digital ids of your webapp
    >>> stored on a clients machine, do you?
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> I use forms authentication for my app.
    >>>> After I log in successfully each request by the browser contains 2
    >>>> cookies.
    >>>> One for the SessionID and one for forms authentication which
    >>>> contains
    >>>> my
    >>>> ticket.
    >>>> Can someone please explain where these cookies are stored? I think
    >>>> it
    >>>> is in memory in the browser but am not sure.
    >>>> Also, some users have stated that they can do the following:
    >>>> 1. Start a browser, hit the site and log in.
    >>>> 2. Start a 2nd browser.
    >>>> 3. Hit the site.
    >>>> 4. BYPASS the log in page and go directly to the Home page.
    >>>> They claim they can also close all browser sessions, start a new one
    >>>> and still Bypass the log in page.
    >>>> How is this possible?
    >>>> Why would the 2nd browser session have the cookies noted above?
    >>>> I assume once the authenctication ticket expires in 30 minutes of
    >>>> inactivity that neither scenario would be possible. They would have
    >>>> to
    >>>> re-log in first.
    >>>> Thanks for any info on this.
    >>>>

    >
    >
    >
    Joe Kaplan \(MVP - ADSI\), Mar 24, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Alex Nitulescu

    Response.Cookies vs Request.Cookies

    Alex Nitulescu, Feb 3, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    8,456
    Hans Kesting
    Feb 3, 2005
  2. Andy Fish
    Replies:
    3
    Views:
    6,505
    Fredrik Lindner
    Nov 6, 2003
  3. user
    Replies:
    3
    Views:
    649
    =?ISO-8859-1?Q?G=F6ran_Andersson?=
    Mar 31, 2007
  4. archana
    Replies:
    1
    Views:
    499
  5. _Who
    Replies:
    7
    Views:
    2,635
Loading...

Share This Page