How to Expire an Authenticatoin Ticket Manually

Discussion in 'ASP .Net' started by Ali, Jan 28, 2004.

  1. Ali

    Ali Guest

    Our security people have been able to copy and use the FormsAuthentication
    cookie. Our Authetication cookie is based on an encrypted ticket and we use
    FormsAuthentication.SignOut() when users loggout or kill their session, but
    apparently the secure ticket does not get removed from the server by
    FormsAuthetication.SignOut().

    We have been able to time-out the ticket on the server, but we need to be
    able to remove the ticket at any time.

    This is our logout procedure:

    FormsAuthetication.SignOut()
    Session.Abandon()
    Response.Redirect("Autheticate.aspx")

    Thanks
     
    Ali, Jan 28, 2004
    #1
    1. Advertising

  2. Ali

    Martin Guest

    Maybe this helps:
    RedirectFromLoginPage([some usersname], booleanvalue)

    When the booleanvalue is set to true, a persistant cookie will be created on
    the client.

    I guess you should set it to false.





    "Ali" <> schreef in bericht
    news:#...
    > Our security people have been able to copy and use the FormsAuthentication
    > cookie. Our Authetication cookie is based on an encrypted ticket and we

    use
    > FormsAuthentication.SignOut() when users loggout or kill their session,

    but
    > apparently the secure ticket does not get removed from the server by
    > FormsAuthetication.SignOut().
    >
    > We have been able to time-out the ticket on the server, but we need to be
    > able to remove the ticket at any time.
    >
    > This is our logout procedure:
    >
    > FormsAuthetication.SignOut()
    > Session.Abandon()
    > Response.Redirect("Autheticate.aspx")
    >
    > Thanks
    >
    >
     
    Martin, Jan 28, 2004
    #2
    1. Advertising

  3. Ali

    Ali Guest

    The problem is not related to redirection. These guys are copying the
    Authentication cookie and send it later on with a different request to the
    web site and they can get in. I want to be able to remove the
    Authentication ticket from the server where it is cached.

    Thanks.

    "Martin" <> wrote in message
    news:4018427c$0$89908$...
    > Maybe this helps:
    > RedirectFromLoginPage([some usersname], booleanvalue)
    >
    > When the booleanvalue is set to true, a persistant cookie will be created

    on
    > the client.
    >
    > I guess you should set it to false.
    >
    >
    >
    >
    >
    > "Ali" <> schreef in bericht
    > news:#...
    > > Our security people have been able to copy and use the

    FormsAuthentication
    > > cookie. Our Authetication cookie is based on an encrypted ticket and we

    > use
    > > FormsAuthentication.SignOut() when users loggout or kill their session,

    > but
    > > apparently the secure ticket does not get removed from the server by
    > > FormsAuthetication.SignOut().
    > >
    > > We have been able to time-out the ticket on the server, but we need to

    be
    > > able to remove the ticket at any time.
    > >
    > > This is our logout procedure:
    > >
    > > FormsAuthetication.SignOut()
    > > Session.Abandon()
    > > Response.Redirect("Autheticate.aspx")
    > >
    > > Thanks
    > >
    > >

    >
    >
     
    Ali, Jan 28, 2004
    #3
  4. Ali

    Hermit Dave Guest

    how bout if you appended the session id and do a compare of session id from
    the ticket and the current session id ?
    (wouldn't work if the same browser window was used... ie if i remember
    correctly asp.net recycles the session id and continues to use it for
    current instance.)

    or even if you manually opened the cookie and over wrote the ticket with
    some junk ?

    --
    Regards,
    HD
    Once a Geek.... Always a Geek
    "Ali" <> wrote in message
    news:...
    > The problem is not related to redirection. These guys are copying the
    > Authentication cookie and send it later on with a different request to the
    > web site and they can get in. I want to be able to remove the
    > Authentication ticket from the server where it is cached.
    >
    > Thanks.
    >
    > "Martin" <> wrote in message
    > news:4018427c$0$89908$...
    >> Maybe this helps:
    >> RedirectFromLoginPage([some usersname], booleanvalue)
    >>
    >> When the booleanvalue is set to true, a persistant cookie will be created

    > on
    >> the client.
    >>
    >> I guess you should set it to false.
    >>
    >>
    >>
    >>
    >>
    >> "Ali" <> schreef in bericht
    >> news:#...
    >> > Our security people have been able to copy and use the

    > FormsAuthentication
    >> > cookie. Our Authetication cookie is based on an encrypted ticket and
    >> > we

    >> use
    >> > FormsAuthentication.SignOut() when users loggout or kill their session,

    >> but
    >> > apparently the secure ticket does not get removed from the server by
    >> > FormsAuthetication.SignOut().
    >> >
    >> > We have been able to time-out the ticket on the server, but we need to

    > be
    >> > able to remove the ticket at any time.
    >> >
    >> > This is our logout procedure:
    >> >
    >> > FormsAuthetication.SignOut()
    >> > Session.Abandon()
    >> > Response.Redirect("Autheticate.aspx")
    >> >
    >> > Thanks
    >> >
    >> >

    >>
    >>

    >
    >
     
    Hermit Dave, Jan 28, 2004
    #4
  5. Ali

    Ali Guest

    Good idea about binding the session id to the authentication cookie, but the
    problem is that the session id can also be hijacked along the authentication
    cookie.

    Ali
    "Hermit Dave" <> wrote in message
    news:...
    > how bout if you appended the session id and do a compare of session id

    from
    > the ticket and the current session id ?
    > (wouldn't work if the same browser window was used... ie if i remember
    > correctly asp.net recycles the session id and continues to use it for
    > current instance.)
    >
    > or even if you manually opened the cookie and over wrote the ticket with
    > some junk ?
    >
    > --
    > Regards,
    > HD
    > Once a Geek.... Always a Geek
    > "Ali" <> wrote in message
    > news:...
    > > The problem is not related to redirection. These guys are copying the
    > > Authentication cookie and send it later on with a different request to

    the
    > > web site and they can get in. I want to be able to remove the
    > > Authentication ticket from the server where it is cached.
    > >
    > > Thanks.
    > >
    > > "Martin" <> wrote in message
    > > news:4018427c$0$89908$...
    > >> Maybe this helps:
    > >> RedirectFromLoginPage([some usersname], booleanvalue)
    > >>
    > >> When the booleanvalue is set to true, a persistant cookie will be

    created
    > > on
    > >> the client.
    > >>
    > >> I guess you should set it to false.
    > >>
    > >>
    > >>
    > >>
    > >>
    > >> "Ali" <> schreef in bericht
    > >> news:#...
    > >> > Our security people have been able to copy and use the

    > > FormsAuthentication
    > >> > cookie. Our Authetication cookie is based on an encrypted ticket and
    > >> > we
    > >> use
    > >> > FormsAuthentication.SignOut() when users loggout or kill their

    session,
    > >> but
    > >> > apparently the secure ticket does not get removed from the server by
    > >> > FormsAuthetication.SignOut().
    > >> >
    > >> > We have been able to time-out the ticket on the server, but we need

    to
    > > be
    > >> > able to remove the ticket at any time.
    > >> >
    > >> > This is our logout procedure:
    > >> >
    > >> > FormsAuthetication.SignOut()
    > >> > Session.Abandon()
    > >> > Response.Redirect("Autheticate.aspx")
    > >> >
    > >> > Thanks
    > >> >
    > >> >
    > >>
    > >>

    > >
    > >

    >
    >
     
    Ali, Jan 29, 2004
    #5
  6. Ali

    Jerry III Guest

    The cookie is the ticket. If you tell the client to delete it and they don't
    (or have a copy somewhere else) there's nothing you can do. You can only set
    the ticket to be valid during a specific time period but you will never be
    able to prevent this type of attack. You can make it harder by using SSL for
    your requests but it still will not stop someone from copying the cookie if
    they have access to the original browser (which you said they did).

    Why did you post this in a csharp group? Apparently you're using VB.
    Why did you post this in webservices group?
    Why did you post this in a mobile group?
    Why did you post this in a caching group?
    Do you actually think that posting in more groups will result in more
    answers?

    Jerry

    "Ali" <> wrote in message
    news:#...
    > Our security people have been able to copy and use the FormsAuthentication
    > cookie. Our Authetication cookie is based on an encrypted ticket and we

    use
    > FormsAuthentication.SignOut() when users loggout or kill their session,

    but
    > apparently the secure ticket does not get removed from the server by
    > FormsAuthetication.SignOut().
    >
    > We have been able to time-out the ticket on the server, but we need to be
    > able to remove the ticket at any time.
    >
    > This is our logout procedure:
    >
    > FormsAuthetication.SignOut()
    > Session.Abandon()
    > Response.Redirect("Autheticate.aspx")
    >
    > Thanks
    >
    >
     
    Jerry III, Jan 29, 2004
    #6
  7. Ali

    Hermit Dave Guest

    how about creating a randon value and encrypting it... store the value in
    cookie and in the database (in a table like user logs)
    with the request coming in check the value in session to see if the value is
    present... and is equal...
    on log out you can set the session variable to null and you can set the
    database value to expired = 1 (if you have a column as bit)

    --
    Regards,
    HD
    Once a Geek.... Always a Geek
    "Ali" <> wrote in message
    news:%...
    > Good idea about binding the session id to the authentication cookie, but
    > the
    > problem is that the session id can also be hijacked along the
    > authentication
    > cookie.
    >
    > Ali
    > "Hermit Dave" <> wrote in message
    > news:...
    >> how bout if you appended the session id and do a compare of session id

    > from
    >> the ticket and the current session id ?
    >> (wouldn't work if the same browser window was used... ie if i remember
    >> correctly asp.net recycles the session id and continues to use it for
    >> current instance.)
    >>
    >> or even if you manually opened the cookie and over wrote the ticket with
    >> some junk ?
    >>
    >> --
    >> Regards,
    >> HD
    >> Once a Geek.... Always a Geek
    >> "Ali" <> wrote in message
    >> news:...
    >> > The problem is not related to redirection. These guys are copying the
    >> > Authentication cookie and send it later on with a different request to

    > the
    >> > web site and they can get in. I want to be able to remove the
    >> > Authentication ticket from the server where it is cached.
    >> >
    >> > Thanks.
    >> >
    >> > "Martin" <> wrote in message
    >> > news:4018427c$0$89908$...
    >> >> Maybe this helps:
    >> >> RedirectFromLoginPage([some usersname], booleanvalue)
    >> >>
    >> >> When the booleanvalue is set to true, a persistant cookie will be

    > created
    >> > on
    >> >> the client.
    >> >>
    >> >> I guess you should set it to false.
    >> >>
    >> >>
    >> >>
    >> >>
    >> >>
    >> >> "Ali" <> schreef in bericht
    >> >> news:#...
    >> >> > Our security people have been able to copy and use the
    >> > FormsAuthentication
    >> >> > cookie. Our Authetication cookie is based on an encrypted ticket
    >> >> > and
    >> >> > we
    >> >> use
    >> >> > FormsAuthentication.SignOut() when users loggout or kill their

    > session,
    >> >> but
    >> >> > apparently the secure ticket does not get removed from the server by
    >> >> > FormsAuthetication.SignOut().
    >> >> >
    >> >> > We have been able to time-out the ticket on the server, but we need

    > to
    >> > be
    >> >> > able to remove the ticket at any time.
    >> >> >
    >> >> > This is our logout procedure:
    >> >> >
    >> >> > FormsAuthetication.SignOut()
    >> >> > Session.Abandon()
    >> >> > Response.Redirect("Autheticate.aspx")
    >> >> >
    >> >> > Thanks
    >> >> >
    >> >> >
    >> >>
    >> >>
    >> >
    >> >

    >>
    >>

    >
    >
     
    Hermit Dave, Jan 29, 2004
    #7
  8. Ali

    Ali Guest

    Thanks for your expert advise Jerry, but the question is still posed - why
    FormsAuthentication.SignOut() does NOT work?

    As far as your questions are concerned, I am language-agnostics - I go
    between c#, java and vb without any difficulty. May be this is due to my
    human language capabilities too. Not to brag, but I also read, write and
    speak three (3) languages; fluently.
    As for cross-posting, the answer is YES. I initially posted this question
    on the security news group, but did not get an answer and I have not checked
    yet but as of yesterday, I still did not get a response from
    aspnet.security. I know the providers of news.microsoft.com hate it when
    people like me cross-post, but cross-posting actually works and it helps me
    get quicker help.



    "Jerry III" <> wrote in message
    news:#...
    > The cookie is the ticket. If you tell the client to delete it and they

    don't
    > (or have a copy somewhere else) there's nothing you can do. You can only

    set
    > the ticket to be valid during a specific time period but you will never be
    > able to prevent this type of attack. You can make it harder by using SSL

    for
    > your requests but it still will not stop someone from copying the cookie

    if
    > they have access to the original browser (which you said they did).
    >
    > Why did you post this in a csharp group? Apparently you're using VB.
    > Why did you post this in webservices group?
    > Why did you post this in a mobile group?
    > Why did you post this in a caching group?
    > Do you actually think that posting in more groups will result in more
    > answers?
    >
    > Jerry
    >
    > "Ali" <> wrote in message
    > news:#...
    > > Our security people have been able to copy and use the

    FormsAuthentication
    > > cookie. Our Authetication cookie is based on an encrypted ticket and we

    > use
    > > FormsAuthentication.SignOut() when users loggout or kill their session,

    > but
    > > apparently the secure ticket does not get removed from the server by
    > > FormsAuthetication.SignOut().
    > >
    > > We have been able to time-out the ticket on the server, but we need to

    be
    > > able to remove the ticket at any time.
    > >
    > > This is our logout procedure:
    > >
    > > FormsAuthetication.SignOut()
    > > Session.Abandon()
    > > Response.Redirect("Autheticate.aspx")
    > >
    > > Thanks
    > >
    > >

    >
    >
     
    Ali, Jan 29, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Matthias S.
    Replies:
    3
    Views:
    4,089
  2. Ali
    Replies:
    0
    Views:
    122
  3. ray
    Replies:
    1
    Views:
    311
    Dominick Baier [DevelopMentor]
    Aug 4, 2005
  4. Tongass Park Neighborhood Association, Juneau Alas

    Cookies expire immediately, not when set to expire

    Tongass Park Neighborhood Association, Juneau Alas, Oct 1, 2009, in forum: ASP General
    Replies:
    2
    Views:
    1,227
    SQLDude
    Nov 24, 2009
  5. Replies:
    1
    Views:
    119
Loading...

Share This Page