«

Our security people have been able to copy and use the FormsAuthentication
cookie. Our Authetication cookie is based on an encrypted ticket and we use
FormsAuthentication.SignOut() when users loggout or kill their session, but
apparently the secure ticket does not get removed from the server by
FormsAuthetication.SignOut().

We have been able to time-out the ticket on the server, but we need to be
able to remove the ticket at any time.

This is our logout procedure:

FormsAuthetication.SignOut()
Session.Abandon()
Response.Redirect("Autheticate.aspx")

Thanks

Maybe this helps:
RedirectFromLoginPage([some usersname], booleanvalue)

When the booleanvalue is set to true, a persistant cookie will be created on
the client.

I guess you should set it to false.





"Ali" <> schreef in bericht
news:#...
> Our security people have been able to copy and use the FormsAuthentication
> cookie. Our Authetication cookie is based on an encrypted ticket and we
use
> FormsAuthentication.SignOut() when users loggout or kill their session,
but
> apparently the secure ticket does not get removed from the server by
> FormsAuthetication.SignOut().
>
> We have been able to time-out the ticket on the server, but we need to be
> able to remove the ticket at any time.
>
> This is our logout procedure:
>
> FormsAuthetication.SignOut()
> Session.Abandon()
> Response.Redirect("Autheticate.aspx")
>
> Thanks
>
>

The problem is not related to redirection. These guys are copying the
Authentication cookie and send it later on with a different request to the
web site and they can get in. I want to be able to remove the
Authentication ticket from the server where it is cached.

Thanks.

"Martin" <> wrote in message
news:4018427c$0$89908$...
> Maybe this helps:
> RedirectFromLoginPage([some usersname], booleanvalue)
>
> When the booleanvalue is set to true, a persistant cookie will be created
on
> the client.
>
> I guess you should set it to false.
>
>
>
>
>
> "Ali" <> schreef in bericht
> news:#...
> > Our security people have been able to copy and use the
FormsAuthentication
> > cookie. Our Authetication cookie is based on an encrypted ticket and we
> use
> > FormsAuthentication.SignOut() when users loggout or kill their session,
> but
> > apparently the secure ticket does not get removed from the server by
> > FormsAuthetication.SignOut().
> >
> > We have been able to time-out the ticket on the server, but we need to
be
> > able to remove the ticket at any time.
> >
> > This is our logout procedure:
> >
> > FormsAuthetication.SignOut()
> > Session.Abandon()
> > Response.Redirect("Autheticate.aspx")
> >
> > Thanks
> >
> >
>
>

how bout if you appended the session id and do a compare of session id from
the ticket and the current session id ?
(wouldn't work if the same browser window was used... ie if i remember
correctly asp.net recycles the session id and continues to use it for
current instance.)

or even if you manually opened the cookie and over wrote the ticket with
some junk ?

--
Regards,
HD
Once a Geek.... Always a Geek
"Ali" <> wrote in message
news:...
> The problem is not related to redirection. These guys are copying the
> Authentication cookie and send it later on with a different request to the
> web site and they can get in. I want to be able to remove the
> Authentication ticket from the server where it is cached.
>
> Thanks.
>
> "Martin" <> wrote in message
> news:4018427c$0$89908$...
>> Maybe this helps:
>> RedirectFromLoginPage([some usersname], booleanvalue)
>>
>> When the booleanvalue is set to true, a persistant cookie will be created
> on
>> the client.
>>
>> I guess you should set it to false.
>>
>>
>>
>>
>>
>> "Ali" <> schreef in bericht
>> news:#...
>> > Our security people have been able to copy and use the
> FormsAuthentication
>> > cookie. Our Authetication cookie is based on an encrypted ticket and
>> > we
>> use
>> > FormsAuthentication.SignOut() when users loggout or kill their session,
>> but
>> > apparently the secure ticket does not get removed from the server by
>> > FormsAuthetication.SignOut().
>> >
>> > We have been able to time-out the ticket on the server, but we need to
> be
>> > able to remove the ticket at any time.
>> >
>> > This is our logout procedure:
>> >
>> > FormsAuthetication.SignOut()
>> > Session.Abandon()
>> > Response.Redirect("Autheticate.aspx")
>> >
>> > Thanks
>> >
>> >
>>
>>
>
>

Good idea about binding the session id to the authentication cookie, but the
problem is that the session id can also be hijacked along the authentication
cookie.

Ali
"Hermit Dave" <> wrote in message
news:...
> how bout if you appended the session id and do a compare of session id
from
> the ticket and the current session id ?
> (wouldn't work if the same browser window was used... ie if i remember
> correctly asp.net recycles the session id and continues to use it for
> current instance.)
>
> or even if you manually opened the cookie and over wrote the ticket with
> some junk ?
>
> --
> Regards,
> HD
> Once a Geek.... Always a Geek
> "Ali" <> wrote in message
> news:...
> > The problem is not related to redirection. These guys are copying the
> > Authentication cookie and send it later on with a different request to
the
> > web site and they can get in. I want to be able to remove the
> > Authentication ticket from the server where it is cached.
> >
> > Thanks.
> >
> > "Martin" <> wrote in message
> > news:4018427c$0$89908$...
> >> Maybe this helps:
> >> RedirectFromLoginPage([some usersname], booleanvalue)
> >>
> >> When the booleanvalue is set to true, a persistant cookie will be
created
> > on
> >> the client.
> >>
> >> I guess you should set it to false.
> >>
> >>
> >>
> >>
> >>
> >> "Ali" <> schreef in bericht
> >> news:#...
> >> > Our security people have been able to copy and use the
> > FormsAuthentication
> >> > cookie. Our Authetication cookie is based on an encrypted ticket and
> >> > we
> >> use
> >> > FormsAuthentication.SignOut() when users loggout or kill their
session,
> >> but
> >> > apparently the secure ticket does not get removed from the server by
> >> > FormsAuthetication.SignOut().
> >> >
> >> > We have been able to time-out the ticket on the server, but we need
to
> > be
> >> > able to remove the ticket at any time.
> >> >
> >> > This is our logout procedure:
> >> >
> >> > FormsAuthetication.SignOut()
> >> > Session.Abandon()
> >> > Response.Redirect("Autheticate.aspx")
> >> >
> >> > Thanks
> >> >
> >> >
> >>
> >>
> >
> >
>
>

The cookie is the ticket. If you tell the client to delete it and they don't
(or have a copy somewhere else) there's nothing you can do. You can only set
the ticket to be valid during a specific time period but you will never be
able to prevent this type of attack. You can make it harder by using SSL for
your requests but it still will not stop someone from copying the cookie if
they have access to the original browser (which you said they did).

Why did you post this in a csharp group? Apparently you're using VB.
Why did you post this in webservices group?
Why did you post this in a mobile group?
Why did you post this in a caching group?
Do you actually think that posting in more groups will result in more
answers?

Jerry

"Ali" <> wrote in message
news:#...
> Our security people have been able to copy and use the FormsAuthentication
> cookie. Our Authetication cookie is based on an encrypted ticket and we
use
> FormsAuthentication.SignOut() when users loggout or kill their session,
but
> apparently the secure ticket does not get removed from the server by
> FormsAuthetication.SignOut().
>
> We have been able to time-out the ticket on the server, but we need to be
> able to remove the ticket at any time.
>
> This is our logout procedure:
>
> FormsAuthetication.SignOut()
> Session.Abandon()
> Response.Redirect("Autheticate.aspx")
>
> Thanks
>
>

how about creating a randon value and encrypting it... store the value in
cookie and in the database (in a table like user logs)
with the request coming in check the value in session to see if the value is
present... and is equal...
on log out you can set the session variable to null and you can set the
database value to expired = 1 (if you have a column as bit)

--
Regards,
HD
Once a Geek.... Always a Geek
"Ali" <> wrote in message
news:%...
> Good idea about binding the session id to the authentication cookie, but
> the
> problem is that the session id can also be hijacked along the
> authentication
> cookie.
>
> Ali
> "Hermit Dave" <> wrote in message
> news:...
>> how bout if you appended the session id and do a compare of session id
> from
>> the ticket and the current session id ?
>> (wouldn't work if the same browser window was used... ie if i remember
>> correctly asp.net recycles the session id and continues to use it for
>> current instance.)
>>
>> or even if you manually opened the cookie and over wrote the ticket with
>> some junk ?
>>
>> --
>> Regards,
>> HD
>> Once a Geek.... Always a Geek
>> "Ali" <> wrote in message
>> news:...
>> > The problem is not related to redirection. These guys are copying the
>> > Authentication cookie and send it later on with a different request to
> the
>> > web site and they can get in. I want to be able to remove the
>> > Authentication ticket from the server where it is cached.
>> >
>> > Thanks.
>> >
>> > "Martin" <> wrote in message
>> > news:4018427c$0$89908$...
>> >> Maybe this helps:
>> >> RedirectFromLoginPage([some usersname], booleanvalue)
>> >>
>> >> When the booleanvalue is set to true, a persistant cookie will be
> created
>> > on
>> >> the client.
>> >>
>> >> I guess you should set it to false.
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> "Ali" <> schreef in bericht
>> >> news:#...
>> >> > Our security people have been able to copy and use the
>> > FormsAuthentication
>> >> > cookie. Our Authetication cookie is based on an encrypted ticket
>> >> > and
>> >> > we
>> >> use
>> >> > FormsAuthentication.SignOut() when users loggout or kill their
> session,
>> >> but
>> >> > apparently the secure ticket does not get removed from the server by
>> >> > FormsAuthetication.SignOut().
>> >> >
>> >> > We have been able to time-out the ticket on the server, but we need
> to
>> > be
>> >> > able to remove the ticket at any time.
>> >> >
>> >> > This is our logout procedure:
>> >> >
>> >> > FormsAuthetication.SignOut()
>> >> > Session.Abandon()
>> >> > Response.Redirect("Autheticate.aspx")
>> >> >
>> >> > Thanks
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>

Thanks for your expert advise Jerry, but the question is still posed - why
FormsAuthentication.SignOut() does NOT work?

As far as your questions are concerned, I am language-agnostics - I go
between c#, java and vb without any difficulty. May be this is due to my
human language capabilities too. Not to brag, but I also read, write and
speak three (3) languages; fluently.
As for cross-posting, the answer is YES. I initially posted this question
on the security news group, but did not get an answer and I have not checked
yet but as of yesterday, I still did not get a response from
aspnet.security. I know the providers of news.microsoft.com hate it when
people like me cross-post, but cross-posting actually works and it helps me
get quicker help.



"Jerry III" <> wrote in message
news:#...
> The cookie is the ticket. If you tell the client to delete it and they
don't
> (or have a copy somewhere else) there's nothing you can do. You can only
set
> the ticket to be valid during a specific time period but you will never be
> able to prevent this type of attack. You can make it harder by using SSL
for
> your requests but it still will not stop someone from copying the cookie
if
> they have access to the original browser (which you said they did).
>
> Why did you post this in a csharp group? Apparently you're using VB.
> Why did you post this in webservices group?
> Why did you post this in a mobile group?
> Why did you post this in a caching group?
> Do you actually think that posting in more groups will result in more
> answers?
>
> Jerry
>
> "Ali" <> wrote in message
> news:#...
> > Our security people have been able to copy and use the
FormsAuthentication
> > cookie. Our Authetication cookie is based on an encrypted ticket and we
> use
> > FormsAuthentication.SignOut() when users loggout or kill their session,
> but
> > apparently the secure ticket does not get removed from the server by
> > FormsAuthetication.SignOut().
> >
> > We have been able to time-out the ticket on the server, but we need to
be
> > able to remove the ticket at any time.
> >
> > This is our logout procedure:
> >
> > FormsAuthetication.SignOut()
> > Session.Abandon()
> > Response.Redirect("Autheticate.aspx")
> >
> > Thanks
> >
> >
>
>