Forms authentication / cookies
username and roles are stored in the encrypted cookie, but if a user manages
to crack this cookie - will he be able to modify his own username and roles?
Why doesn't ASP.NET simply use an ordinary session, with nothing but a
session id to send to the client?
Nils Magnus Englund
Re: Forms authentication / cookies
If you use forms attribute protection="All" in the web.config, there is
little risk of someone being able to crack or modify their own cookie.
However, if a user ever obtains the machine key, they can create a valid
authentication cookie to authenticate as any user. For this reason you
should always have ASP.NET auto generate the machine key (set in
machine.config) rather than using a hard-coded key.
A related issue is that if you do not use the machine key attribute
IsolateApps in machine.config, a user could potentially create a cookie on
web site and use that to authenticate to another on the same machine.
ASP.NET does not maintain any session information on the server, and that
definitely has an effect on security. There are problems with doing that,
however, and I'm sure the ASP.NET team made a deliberate decision to do that
based on managing all their priorites.
I cover forms authentication and session tokens extensively in my new book,
"Hacking the Code" (ISBN: 1932266658) which should be available later this
Windows Server MVP - IIS
"Nils Magnus Englund" <email@example.com> wrote in message
> username and roles are stored in the encrypted cookie, but if a user
> to crack this cookie - will he be able to modify his own username and
> Why doesn't ASP.NET simply use an ordinary session, with nothing but a
> session id to send to the client?
> Nils Magnus Englund
|All times are GMT. The time now is 04:12 AM.|
Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.