Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Authentication cookie security

Reply
Thread Tools

Authentication cookie security

 
 
Kirsten
Guest
Posts: n/a
 
      08-13-2009
I'm using Form authentication with Cookies and I'm reading about replay
attacks.
Is there any way besides using SSL to protect the cookie?

Comparing other systems: how does Hotmail handle this feature? For example,
I login using SSL to read my mail but then Hotmails switches to HTTP. So,
anyone can take my cookie and read my mail?

Thanks a lot.

 
Reply With Quote
 
 
 
 
Cowboy \(Gregory A. Beamer\)
Guest
Posts: n/a
 
      08-15-2009
A good read to start with is Foundstone's ASP.NET Autentication white paper:
http://bit.ly/10o9xL

It has many techniques to reduce your exposure. In general, if you are using
SSL for the cookie, it will always be passed back SSL. This is done in web
config by setting the requireSSL to true. You should also consider setting
protection to ALL so the actual data is protected. With the two, you have
greatly reduced the footprint. It is also useful to avoid any user data on
the client side, which can be done quite easily by using the Membership bits
(even if yours are customized).

The Foundstone white paper has suggestions on pages 9-10 to help you make
things more secure. Using their guidelines, you should make your footprint
small enough to avoid casual hacker, and even most routine hackers.
Depending on your site, this is probably enough.

Further security? An IP address added to the session check makes an even
smaller vector. As IPs can be spoofed, as well, it only reduces the vector.
But making the target smaller certainly makes it harder to hit and requires
the hacker have more experience.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

Twitter: @gbworld
Blog: http://gregorybeamer.spaces.live.com

************************************************** ******
| Think outside the box! |
************************************************** ******

"Kirsten" <(E-Mail Removed)> wrote in message
news:#(E-Mail Removed)...
> I'm using Form authentication with Cookies and I'm reading about replay
> attacks.
> Is there any way besides using SSL to protect the cookie?
>
> Comparing other systems: how does Hotmail handle this feature? For
> example, I login using SSL to read my mail but then Hotmails switches to
> HTTP. So, anyone can take my cookie and read my mail?
>
> Thanks a lot.


 
Reply With Quote
 
 
 
 
Joe Kaplan
Guest
Posts: n/a
 
      08-16-2009
> I'm using Form authentication with Cookies and I'm reading about replay
> attacks.
> Is there any way besides using SSL to protect the cookie?
>


SSL doesn't protect against replay attacks per say but instead encrypts the
channel to make snooping by an outsider much more difficult. If the
outsider was able to steal your forms auth cookie through another mechanism
like a cross site scripting attack, the SSL no longer does you any good as
the attacker will replay the cookie using SSL.

> Comparing other systems: how does Hotmail handle this feature? For
> example, I login using SSL to read my mail but then Hotmails switches to
> HTTP. So, anyone can take my cookie and read my mail?
>


Hotmail is not protecting your cookie from snooping at all and is likely to
have issues with replay attacks. By not using SSL consistently, they are
essentially not taking the security of your email data very seriously.

It is common in systems that are more well-designed to try to add additional
barriers to replay attacks. For example, it is common to add message
authenticate codes (MACs) to these cookies to ensure they cannot be modified
and to also include additional data about the browser on the other end such
as the source IP address.

Unfortunately, clever attackers can spoof the source IP address and make the
replay look like it came from the exact same place on the public internet
that the original request came from. Adding source IP data to the cookie
raises the bar but does not prevent the whole issue.

> Thanks a lot.


If you are serious about security for your site, you will use SSL
exclusively. Even a simple redirect from HTTP to HTTPS makes you
succeptible to attacks like "sslstrip" as detailed by Moxie Marlinspike in
his recent BlackHat presentation which you can view on the web if you do
some searches for it.


--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Kirsten" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> I'm using Form authentication with Cookies and I'm reading about replay
> attacks.
> Is there any way besides using SSL to protect the cookie?
>
> Comparing other systems: how does Hotmail handle this feature? For
> example, I login using SSL to read my mail but then Hotmails switches to
> HTTP. So, anyone can take my cookie and read my mail?
>
> Thanks a lot.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Authentication cookie security Kirsten ASP .Net 1 08-15-2009 05:51 PM
Best practices for using forms authentication and security in a hosted env (was: Re: Using a Forms authentication in a shared hosting environment) JEFF ASP .Net 1 11-12-2007 07:00 PM
forms authentication -- expired forms cookie vs. not provided forms cookie Eric ASP .Net Security 2 01-27-2006 10:09 PM
Forms Authentication and Authentication Cookie rgouge ASP .Net Security 3 06-20-2005 10:09 PM
authentication cookie vs session cookie Joseph ASP .Net Security 4 08-12-2003 10:57 AM



Advertisments