Forms authentication / cookies

Discussion in 'ASP .Net Security' started by Nils Magnus Englund, Apr 21, 2004.

  1. Hi!

    I'm just curious about the use of cookies in forms authentication. The
    username and roles are stored in the encrypted cookie, but if a user manages
    to crack this cookie - will he be able to modify his own username and roles?
    Why doesn't ASP.NET simply use an ordinary session, with nothing but a
    session id to send to the client?


    Sincerely,
    Nils Magnus Englund
     
    Nils Magnus Englund, Apr 21, 2004
    #1
    1. Advertising

  2. Nils Magnus Englund

    M. Burnett Guest

    If you use forms attribute protection="All" in the web.config, there is
    little risk of someone being able to crack or modify their own cookie.
    However, if a user ever obtains the machine key, they can create a valid
    authentication cookie to authenticate as any user. For this reason you
    should always have ASP.NET auto generate the machine key (set in
    machine.config) rather than using a hard-coded key.

    A related issue is that if you do not use the machine key attribute
    IsolateApps in machine.config, a user could potentially create a cookie on
    web site and use that to authenticate to another on the same machine.

    ASP.NET does not maintain any session information on the server, and that
    definitely has an effect on security. There are problems with doing that,
    however, and I'm sure the ASP.NET team made a deliberate decision to do that
    based on managing all their priorites.

    I cover forms authentication and session tokens extensively in my new book,
    "Hacking the Code" (ISBN: 1932266658) which should be available later this
    month.


    Mark Burnett
    Windows Server MVP - IIS


    "Nils Magnus Englund" <> wrote in message
    news:...
    > Hi!
    >
    > I'm just curious about the use of cookies in forms authentication. The
    > username and roles are stored in the encrypted cookie, but if a user

    manages
    > to crack this cookie - will he be able to modify his own username and

    roles?
    > Why doesn't ASP.NET simply use an ordinary session, with nothing but a
    > session id to send to the client?
    >
    >
    > Sincerely,
    > Nils Magnus Englund
    >
    >
     
    M. Burnett, Apr 21, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Scott
    Replies:
    1
    Views:
    2,535
    Rajesh.V
    Oct 16, 2003
  2. Joey Powell

    Forms Authentication Cookies Never Expire

    Joey Powell, Dec 4, 2003, in forum: ASP .Net
    Replies:
    2
    Views:
    6,942
    Mike Moore [MSFT]
    Dec 4, 2003
  3. Eric
    Replies:
    2
    Views:
    1,509
    Tommy
    Feb 13, 2004
  4. _Who
    Replies:
    7
    Views:
    2,692
  5. Eric
    Replies:
    2
    Views:
    577
Loading...

Share This Page