Can a user use a role from one identity on a different identity

J

Jeffrey

Thinking about my application, I am worried about an exploit that I am not
proficient enough to test. Can a user use a set of roles (fully encrypted
cookie) gained by logging in on one account and pass it to another session
with a different logon. That could make an "account administrator" of a small
account an "account administrator" of a large account for which she may only
be an "account user".

If this is true, it is a major flaw in asp.net. I am going to attempt to
block this exploit by storing the user id with a prefix as if it is a role
and verify that it is there. This is rather kludgy.
 
J

Joe Kaplan

In a web app where cookies are used as a security mechanism, if those
cookies are somehow stolen and can be reused by someone else, the thief can
generally impersonate the user. That's one of the things that makes cross
site scripting so dangerous.

This danger is common to all web apps that use cookies and is not an issue
specific to ASP.NET.

The thing to think about is the different ways that a someone might be able
to steal someone else's cookies. It could be cross site scripting or it
could be by snooping on the network traffic. You can fight both of those by
coding your app to avoid XSS attacks and using SSL to prevent snooping on
the wire.

If you are worried about one user just giving another user their cookies,
there isn't a lot you can do about that. They would probably just give the
user their password instead as that is much easier.

Joe K.
 
J

Jeffrey

Actually, what I am worried about is the same user who has two different
logins. It would not be hard for MS to include the user id in the role cookie
and verify that it matches the users authentication cookie, but I do not see
any evidence that they do that. Before I converted to ASP.net 2.0 providers,
this was not an issue because I stuffed the roles into the authorization
cookie and they could not be seperated.

-- Jeffrey
 
J

Joe Kaplan

It reissues the role cookie when you log in though, so if you had a previous
cookie, it would get overwritten. I don't see an issue with that
necessarily.

I don't know if they have anything inside the data in the cookie that
attempts to match it with the authentication info to ensure if they are a
match or not though. If you are concerned about whether or not that
happens, you would need to do some more investigation.

Joe K.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Application Pool identity account to reflect logged on user 0
Hi, I am a webflow user. I am looking for CSS code that can KEEP ALL ELEMENTS POSITIONED in the SAME spot across all resolutions 0
Problem with a login script, SESSION user rights and put this together so it works with the other pages and MySQL. Code examples. 2
AzMan Role provider 1
machine.config process identity problem 0
Problerms with iFrames and user identity 7
Need role based access on a DAO 4
Web Service Identity 5

Members online

No members online now.
Total: 24 (members: 0, guests: 24)
Robots: 451

Forum statistics

Threads
473,769
Messages
2,569,580
Members
45,054
Latest member
TrimKetoBoost

Latest Threads

Top