Security Expoit (FormsAuthentication.SignOut()) Does not Work

A

Ali

Our security people have been able to copy and use the FormsAuthentication
cookie. Our Authetication cookie is based on an encrypted ticket and we use
FormsAuthentication.SignOut() when users loggout or kill their session, but
apparently the secure ticket does not get removed from the server by
FormsAuthetication.SignOut().

We have been able to time-out the ticket on the server, but we need to be
able to remove the ticket at any time.

This is our logout procedure:

FormsAuthetication.SignOut()
Session.Abandon()
Response.Redirect("Autheticate.aspx")

Thanks

Ali
 
K

Keith

Don't persist the ticket and your problem will be
solved. Dig through your code and look for the line
similar to:

Dim authTicket as FormsAuthenticationTicket = new
FormsAuthenticationTicket(1, _
"Some
user",DateTime.Now, DateTime.Now.AddMinutes(20),
false, "")

Notice the false in the 4th parameter. That false means
to not store the ticket in a cookie on the users machine.

Good luck.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How to Expire an Authenticatoin Ticket Manually 7
FormsAuthentication.signout does not ?? 1
Expire Forms Authentication Ticket on Server Side 1
FormsAuthentication.SignOut() not working when manually creatinga ticket? 3
FormsAuthentication.SignOut() does not appear to remove authentication ticket 0
Roles in encrypted cookie, security problem? 3
How to log him out if he does not click "Logout"? 1
FormsAuthentication.SignOut not working within subfolder 6

Members online

Total: 19 (members: 2, guests: 17)
Robots: 265

Forum statistics

Threads
473,764
Messages
2,569,566
Members
45,041
Latest member
RomeoFarnh

Latest Threads

Top