Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > How to Expire an Authenticatoin Ticket Manually

Reply
Thread Tools

How to Expire an Authenticatoin Ticket Manually

 
 
Ali
Guest
Posts: n/a
 
      01-28-2004
Our security people have been able to copy and use the FormsAuthentication
cookie. Our Authetication cookie is based on an encrypted ticket and we use
FormsAuthentication.SignOut() when users loggout or kill their session, but
apparently the secure ticket does not get removed from the server by
FormsAuthetication.SignOut().

We have been able to time-out the ticket on the server, but we need to be
able to remove the ticket at any time.

This is our logout procedure:

FormsAuthetication.SignOut()
Session.Abandon()
Response.Redirect("Autheticate.aspx")

Thanks


 
Reply With Quote
 
 
 
 
Martin
Guest
Posts: n/a
 
      01-28-2004
Maybe this helps:
RedirectFromLoginPage([some usersname], booleanvalue)

When the booleanvalue is set to true, a persistant cookie will be created on
the client.

I guess you should set it to false.





"Ali" <(E-Mail Removed)> schreef in bericht
news:#(E-Mail Removed)...
> Our security people have been able to copy and use the FormsAuthentication
> cookie. Our Authetication cookie is based on an encrypted ticket and we

use
> FormsAuthentication.SignOut() when users loggout or kill their session,

but
> apparently the secure ticket does not get removed from the server by
> FormsAuthetication.SignOut().
>
> We have been able to time-out the ticket on the server, but we need to be
> able to remove the ticket at any time.
>
> This is our logout procedure:
>
> FormsAuthetication.SignOut()
> Session.Abandon()
> Response.Redirect("Autheticate.aspx")
>
> Thanks
>
>



 
Reply With Quote
 
 
 
 
Ali
Guest
Posts: n/a
 
      01-28-2004
The problem is not related to redirection. These guys are copying the
Authentication cookie and send it later on with a different request to the
web site and they can get in. I want to be able to remove the
Authentication ticket from the server where it is cached.

Thanks.

"Martin" <(E-Mail Removed)> wrote in message
news:4018427c$0$89908$(E-Mail Removed)...
> Maybe this helps:
> RedirectFromLoginPage([some usersname], booleanvalue)
>
> When the booleanvalue is set to true, a persistant cookie will be created

on
> the client.
>
> I guess you should set it to false.
>
>
>
>
>
> "Ali" <(E-Mail Removed)> schreef in bericht
> news:#(E-Mail Removed)...
> > Our security people have been able to copy and use the

FormsAuthentication
> > cookie. Our Authetication cookie is based on an encrypted ticket and we

> use
> > FormsAuthentication.SignOut() when users loggout or kill their session,

> but
> > apparently the secure ticket does not get removed from the server by
> > FormsAuthetication.SignOut().
> >
> > We have been able to time-out the ticket on the server, but we need to

be
> > able to remove the ticket at any time.
> >
> > This is our logout procedure:
> >
> > FormsAuthetication.SignOut()
> > Session.Abandon()
> > Response.Redirect("Autheticate.aspx")
> >
> > Thanks
> >
> >

>
>



 
Reply With Quote
 
Hermit Dave
Guest
Posts: n/a
 
      01-28-2004
how bout if you appended the session id and do a compare of session id from
the ticket and the current session id ?
(wouldn't work if the same browser window was used... ie if i remember
correctly asp.net recycles the session id and continues to use it for
current instance.)

or even if you manually opened the cookie and over wrote the ticket with
some junk ?

--
Regards,
HD
Once a Geek.... Always a Geek
"Ali" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> The problem is not related to redirection. These guys are copying the
> Authentication cookie and send it later on with a different request to the
> web site and they can get in. I want to be able to remove the
> Authentication ticket from the server where it is cached.
>
> Thanks.
>
> "Martin" <(E-Mail Removed)> wrote in message
> news:4018427c$0$89908$(E-Mail Removed)...
>> Maybe this helps:
>> RedirectFromLoginPage([some usersname], booleanvalue)
>>
>> When the booleanvalue is set to true, a persistant cookie will be created

> on
>> the client.
>>
>> I guess you should set it to false.
>>
>>
>>
>>
>>
>> "Ali" <(E-Mail Removed)> schreef in bericht
>> news:#(E-Mail Removed)...
>> > Our security people have been able to copy and use the

> FormsAuthentication
>> > cookie. Our Authetication cookie is based on an encrypted ticket and
>> > we

>> use
>> > FormsAuthentication.SignOut() when users loggout or kill their session,

>> but
>> > apparently the secure ticket does not get removed from the server by
>> > FormsAuthetication.SignOut().
>> >
>> > We have been able to time-out the ticket on the server, but we need to

> be
>> > able to remove the ticket at any time.
>> >
>> > This is our logout procedure:
>> >
>> > FormsAuthetication.SignOut()
>> > Session.Abandon()
>> > Response.Redirect("Autheticate.aspx")
>> >
>> > Thanks
>> >
>> >

>>
>>

>
>



 
Reply With Quote
 
Ali
Guest
Posts: n/a
 
      01-29-2004
Good idea about binding the session id to the authentication cookie, but the
problem is that the session id can also be hijacked along the authentication
cookie.

Ali
"Hermit Dave" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> how bout if you appended the session id and do a compare of session id

from
> the ticket and the current session id ?
> (wouldn't work if the same browser window was used... ie if i remember
> correctly asp.net recycles the session id and continues to use it for
> current instance.)
>
> or even if you manually opened the cookie and over wrote the ticket with
> some junk ?
>
> --
> Regards,
> HD
> Once a Geek.... Always a Geek
> "Ali" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > The problem is not related to redirection. These guys are copying the
> > Authentication cookie and send it later on with a different request to

the
> > web site and they can get in. I want to be able to remove the
> > Authentication ticket from the server where it is cached.
> >
> > Thanks.
> >
> > "Martin" <(E-Mail Removed)> wrote in message
> > news:4018427c$0$89908$(E-Mail Removed)...
> >> Maybe this helps:
> >> RedirectFromLoginPage([some usersname], booleanvalue)
> >>
> >> When the booleanvalue is set to true, a persistant cookie will be

created
> > on
> >> the client.
> >>
> >> I guess you should set it to false.
> >>
> >>
> >>
> >>
> >>
> >> "Ali" <(E-Mail Removed)> schreef in bericht
> >> news:#(E-Mail Removed)...
> >> > Our security people have been able to copy and use the

> > FormsAuthentication
> >> > cookie. Our Authetication cookie is based on an encrypted ticket and
> >> > we
> >> use
> >> > FormsAuthentication.SignOut() when users loggout or kill their

session,
> >> but
> >> > apparently the secure ticket does not get removed from the server by
> >> > FormsAuthetication.SignOut().
> >> >
> >> > We have been able to time-out the ticket on the server, but we need

to
> > be
> >> > able to remove the ticket at any time.
> >> >
> >> > This is our logout procedure:
> >> >
> >> > FormsAuthetication.SignOut()
> >> > Session.Abandon()
> >> > Response.Redirect("Autheticate.aspx")
> >> >
> >> > Thanks
> >> >
> >> >
> >>
> >>

> >
> >

>
>



 
Reply With Quote
 
Jerry III
Guest
Posts: n/a
 
      01-29-2004
The cookie is the ticket. If you tell the client to delete it and they don't
(or have a copy somewhere else) there's nothing you can do. You can only set
the ticket to be valid during a specific time period but you will never be
able to prevent this type of attack. You can make it harder by using SSL for
your requests but it still will not stop someone from copying the cookie if
they have access to the original browser (which you said they did).

Why did you post this in a csharp group? Apparently you're using VB.
Why did you post this in webservices group?
Why did you post this in a mobile group?
Why did you post this in a caching group?
Do you actually think that posting in more groups will result in more
answers?

Jerry

"Ali" <(E-Mail Removed)> wrote in message
news:#(E-Mail Removed)...
> Our security people have been able to copy and use the FormsAuthentication
> cookie. Our Authetication cookie is based on an encrypted ticket and we

use
> FormsAuthentication.SignOut() when users loggout or kill their session,

but
> apparently the secure ticket does not get removed from the server by
> FormsAuthetication.SignOut().
>
> We have been able to time-out the ticket on the server, but we need to be
> able to remove the ticket at any time.
>
> This is our logout procedure:
>
> FormsAuthetication.SignOut()
> Session.Abandon()
> Response.Redirect("Autheticate.aspx")
>
> Thanks
>
>



 
Reply With Quote
 
Hermit Dave
Guest
Posts: n/a
 
      01-29-2004
how about creating a randon value and encrypting it... store the value in
cookie and in the database (in a table like user logs)
with the request coming in check the value in session to see if the value is
present... and is equal...
on log out you can set the session variable to null and you can set the
database value to expired = 1 (if you have a column as bit)

--
Regards,
HD
Once a Geek.... Always a Geek
"Ali" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Good idea about binding the session id to the authentication cookie, but
> the
> problem is that the session id can also be hijacked along the
> authentication
> cookie.
>
> Ali
> "Hermit Dave" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> how bout if you appended the session id and do a compare of session id

> from
>> the ticket and the current session id ?
>> (wouldn't work if the same browser window was used... ie if i remember
>> correctly asp.net recycles the session id and continues to use it for
>> current instance.)
>>
>> or even if you manually opened the cookie and over wrote the ticket with
>> some junk ?
>>
>> --
>> Regards,
>> HD
>> Once a Geek.... Always a Geek
>> "Ali" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> > The problem is not related to redirection. These guys are copying the
>> > Authentication cookie and send it later on with a different request to

> the
>> > web site and they can get in. I want to be able to remove the
>> > Authentication ticket from the server where it is cached.
>> >
>> > Thanks.
>> >
>> > "Martin" <(E-Mail Removed)> wrote in message
>> > news:4018427c$0$89908$(E-Mail Removed)...
>> >> Maybe this helps:
>> >> RedirectFromLoginPage([some usersname], booleanvalue)
>> >>
>> >> When the booleanvalue is set to true, a persistant cookie will be

> created
>> > on
>> >> the client.
>> >>
>> >> I guess you should set it to false.
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> "Ali" <(E-Mail Removed)> schreef in bericht
>> >> news:#(E-Mail Removed)...
>> >> > Our security people have been able to copy and use the
>> > FormsAuthentication
>> >> > cookie. Our Authetication cookie is based on an encrypted ticket
>> >> > and
>> >> > we
>> >> use
>> >> > FormsAuthentication.SignOut() when users loggout or kill their

> session,
>> >> but
>> >> > apparently the secure ticket does not get removed from the server by
>> >> > FormsAuthetication.SignOut().
>> >> >
>> >> > We have been able to time-out the ticket on the server, but we need

> to
>> > be
>> >> > able to remove the ticket at any time.
>> >> >
>> >> > This is our logout procedure:
>> >> >
>> >> > FormsAuthetication.SignOut()
>> >> > Session.Abandon()
>> >> > Response.Redirect("Autheticate.aspx")
>> >> >
>> >> > Thanks
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >

>>
>>

>
>



 
Reply With Quote
 
Ali
Guest
Posts: n/a
 
      01-29-2004
Thanks for your expert advise Jerry, but the question is still posed - why
FormsAuthentication.SignOut() does NOT work?

As far as your questions are concerned, I am language-agnostics - I go
between c#, java and vb without any difficulty. May be this is due to my
human language capabilities too. Not to brag, but I also read, write and
speak three (3) languages; fluently.
As for cross-posting, the answer is YES. I initially posted this question
on the security news group, but did not get an answer and I have not checked
yet but as of yesterday, I still did not get a response from
aspnet.security. I know the providers of news.microsoft.com hate it when
people like me cross-post, but cross-posting actually works and it helps me
get quicker help.



"Jerry III" <(E-Mail Removed)> wrote in message
news:#(E-Mail Removed)...
> The cookie is the ticket. If you tell the client to delete it and they

don't
> (or have a copy somewhere else) there's nothing you can do. You can only

set
> the ticket to be valid during a specific time period but you will never be
> able to prevent this type of attack. You can make it harder by using SSL

for
> your requests but it still will not stop someone from copying the cookie

if
> they have access to the original browser (which you said they did).
>
> Why did you post this in a csharp group? Apparently you're using VB.
> Why did you post this in webservices group?
> Why did you post this in a mobile group?
> Why did you post this in a caching group?
> Do you actually think that posting in more groups will result in more
> answers?
>
> Jerry
>
> "Ali" <(E-Mail Removed)> wrote in message
> news:#(E-Mail Removed)...
> > Our security people have been able to copy and use the

FormsAuthentication
> > cookie. Our Authetication cookie is based on an encrypted ticket and we

> use
> > FormsAuthentication.SignOut() when users loggout or kill their session,

> but
> > apparently the secure ticket does not get removed from the server by
> > FormsAuthetication.SignOut().
> >
> > We have been able to time-out the ticket on the server, but we need to

be
> > able to remove the ticket at any time.
> >
> > This is our logout procedure:
> >
> > FormsAuthetication.SignOut()
> > Session.Abandon()
> > Response.Redirect("Autheticate.aspx")
> >
> > Thanks
> >
> >

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cookies expire immediately, not when set to expire Tongass Park Neighborhood Association, Juneau Alaska ASP General 2 11-24-2009 08:24 PM
manually expire an element in Memoize danielmcbrearty@gmail.com Perl Misc 1 02-15-2007 04:20 PM
Expire Forms Authentication Ticket on Server Side ray ASP .Net Security 1 08-04-2005 05:45 AM
FormsAuthentication.SignOut() not working when manually creatinga ticket? Matthias S. ASP .Net 3 04-14-2005 06:13 PM
How to Expire an Authenticatoin Ticket Manually Ali ASP .Net Mobile 0 01-28-2004 10:48 PM



Advertisments