authentication cookie vs session cookie

[Joseph]

Hi,

What are the differences between authentication and session cookies? In my
web.config file, I set the cookieless attribute for the sessionState element
to false. Why do we need 2 different types of cookies? Is the session
cookie enough for authentication purpose?

I do feel uncomfortable to maintain 2 different timeouts (form
authentication cookie and session) in the web.config file. Is it possible to
keep both in sync (i.e. make authentication cookie expires at the same time
the session expires)?

Thanks.

Joseph

[Michal A. Valasek]

| What are the differences between authentication and session cookies? In my
| web.config file, I set the cookieless attribute for the sessionState
element
| to false. Why do we need 2 different types of cookies? Is the session
| cookie enough for authentication purpose?

Authentication and session cookies should be different, so you can use these
features independently. Most of my applications uses authentication, but has
disabled session state. Having one solution would force everyone using Forms
Authentication to use sessions too.

| I do feel uncomfortable to maintain 2 different timeouts (form
| authentication cookie and session) in the web.config file. Is it possible
to
| keep both in sync (i.e. make authentication cookie expires at the same
time
| the session expires)?

You can set timeouts for login and session state to same value.

--
Michal A. Valasek, Altair Communications, [url]http://www.altaircom.net[/url]
Please do not reply to this e-mail, for contact see [url]http://www.rider.cz[/url]

[Yan-Hong Huang[MSFT]]

Hello Joseph,

Thanks for posting here.

Indeed. Forms authentication is a flexible, scalable and secure system for
doing 'cookie' authentication (effectively what you are doing when you use
session variables as it relies on the session cookie that ASP.NET sends to
the client). A big advantage is that it allows you to persist information
by storing it in an encrypted authentication cookie - this is much better
in terms of scalability than using a session variable for each user (you
can use it across a webfarm without significant changes).

Another big advantage of using Forms authentication is that it slots into
the rest of the ASP.NET Security framework. This means that code for
authentication and authorization works together is a logical way and new
code can be slotted in really easily.

In general, Session Cookie and Forms Auth cookie are independant and you
have to find the logic to achieve what you want.
Rather than trying to sync. these 2 timeouts, try logging out the user if
the session times out.

1. You can handle one of the events after the sessionState is hooked up and
check to see if the session is new and if the user is authenticated. If so,
call the logout method and redirect to loging page.
2. Another way is to set a session variable and check on every page to see
if the session variable exists and also the user is authenticated. If not,
redirect the user to the login page by calling the LogOut method.

Please post here if you have any more concerns.

Best regards,
Yanhong Huang
Microsoft Online Partner Support

Get Secure! - [url]www.microsoft.com/security[/url]
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
!From: "Joseph" <joseph@bluefield.com.hk>
!Subject: authentication cookie vs session cookie
!Date: Fri, 8 Aug 2003 15:52:50 +0800
!Lines: 17
!X-Priority: 3
!X-MSMail-Priority: Normal
!X-Newsreader: Microsoft Outlook Express 6.00.2720.3000
!X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300
!Message-ID: <eCgSSIYXDHA.384@TK2MSFTNGP12.phx.gbl>
!Newsgroups: microsoft.public.dotnet.framework.aspnet.security
!NNTP-Posting-Host: 210.176.53.73
!Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP12.phx.gbl
!Xref: cpmsftngxa06.phx.gbl
microsoft.public.dotnet.framework.aspnet.security: 6178
!X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
!
!Hi,
!
!What are the differences between authentication and session cookies? In my
!web.config file, I set the cookieless attribute for the sessionState
element
!to false. Why do we need 2 different types of cookies? Is the session
!cookie enough for authentication purpose?
!
!I do feel uncomfortable to maintain 2 different timeouts (form
!authentication cookie and session) in the web.config file. Is it possible
to
!keep both in sync (i.e. make authentication cookie expires at the same time
!the session expires)?
!
!Thanks.
!
!Joseph
!
!
!

[Joseph]

The reason I raised this question is that I am worried about the security
level of using authentication cookies on the client machines. If the
authentication cookie on a manager's machine is stolen and used on a client
machine with lower privilege (e.g. operator's machine) on the same intranet,
will the operator be able to access the privileges granted to the manager? I
am assuming all the user roles information are stored in the authentication
cookie.

Thanks.
Joseph

"Yan-Hong Huang[MSFT]" <yhhuang@online.microsoft.com> wrote in message
news:2VKAdj9XDHA.1544@cpmsftngxa06.phx.gbl...

> Hello Joseph,
>
> Thanks for posting here.
>
> Indeed. Forms authentication is a flexible, scalable and secure system for
> doing 'cookie' authentication (effectively what you are doing when you use
> session variables as it relies on the session cookie that ASP.NET sends to
> the client). A big advantage is that it allows you to persist information
> by storing it in an encrypted authentication cookie - this is much better
> in terms of scalability than using a session variable for each user (you
> can use it across a webfarm without significant changes).
>
> Another big advantage of using Forms authentication is that it slots into
> the rest of the ASP.NET Security framework. This means that code for
> authentication and authorization works together is a logical way and new
> code can be slotted in really easily.
>
> In general, Session Cookie and Forms Auth cookie are independant and you
> have to find the logic to achieve what you want.
> Rather than trying to sync. these 2 timeouts, try logging out the user if
> the session times out.
>
> 1. You can handle one of the events after the sessionState is hooked up

and

> check to see if the session is new and if the user is authenticated. If

so,

> call the logout method and redirect to loging page.
> 2. Another way is to set a session variable and check on every page to see
> if the session variable exists and also the user is authenticated. If not,
> redirect the user to the login page by calling the LogOut method.
>
> Please post here if you have any more concerns.
>
> Best regards,
> Yanhong Huang
> Microsoft Online Partner Support
>
> Get Secure! - [url]www.microsoft.com/security[/url]
> This posting is provided "AS IS" with no warranties, and confers no

rights.

>
> --------------------
> !From: "Joseph" <joseph@bluefield.com.hk>
> !Subject: authentication cookie vs session cookie
> !Date: Fri, 8 Aug 2003 15:52:50 +0800
> !Lines: 17
> !X-Priority: 3
> !X-MSMail-Priority: Normal
> !X-Newsreader: Microsoft Outlook Express 6.00.2720.3000
> !X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300
> !Message-ID: <eCgSSIYXDHA.384@TK2MSFTNGP12.phx.gbl>
> !Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> !NNTP-Posting-Host: 210.176.53.73
> !Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP12.phx.gbl
> !Xref: cpmsftngxa06.phx.gbl
> microsoft.public.dotnet.framework.aspnet.security: 6178
> !X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> !
> !Hi,
> !
> !What are the differences between authentication and session cookies? In

my

> !web.config file, I set the cookieless attribute for the sessionState
> element
> !to false. Why do we need 2 different types of cookies? Is the session
> !cookie enough for authentication purpose?
> !
> !I do feel uncomfortable to maintain 2 different timeouts (form
> !authentication cookie and session) in the web.config file. Is it possible
> to
> !keep both in sync (i.e. make authentication cookie expires at the same

time

> !the session expires)?
> !
> !Thanks.
> !
> !Joseph
> !
> !
> !
>

[Yan-Hong Huang[MSFT]]

Hello Joseph,

Good question. Improving security in ASP.NET form authentication is a hot issue. Forms authentication is one of the most
compelling and useful new features of ASP.NET. It enables developers to declaratively specify which files on their site can
be accessed and by whom, and allows identification of a login page. When an unauthenticated user attempts to retrieve a
page protected by forms authentication, ASP.NET automatically redirects them to the login page and asks them to identify
themselves.

I suggest you refer to this article:
"An Introductory Guide to Building and Deploying More Secure Sites with ASP.NET and IIS, Part 2"
[url]http://msdn.microsoft.com/msdnmag/issues/02/05/ASPSec2/[/url]
Included here is an overview of forms authentication and what you need to know to put it to work. Also included is hard-to-find
information on the security of cookie authentication and on combining forms authentication with role-based URL
authorizations.

Hope that helps.

Best regards,
Yanhong Huang
Microsoft Online Partner Support

Get Secure! - [url]www.microsoft.com/security[/url]
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
!From: "Joseph" <joseph@bluefield.com.hk>
!References: <eCgSSIYXDHA.384@TK2MSFTNGP12.phx.gbl> <2VKAdj9XDHA.1544@cpmsftngxa06.phx.gbl>
!Subject: Re: authentication cookie vs session cookie
!Date: Mon, 11 Aug 2003 17:14:56 +0800
!Lines: 96
!X-Priority: 3
!X-MSMail-Priority: Normal
!X-Newsreader: Microsoft Outlook Express 6.00.2720.3000
!X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300
!Message-ID: <#F06Jk#XDHA.536@TK2MSFTNGP10.phx.gbl>
!Newsgroups: microsoft.public.dotnet.framework.aspnet.security
!NNTP-Posting-Host: 210.176.53.73
!Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
!Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet.security: 6207
!X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
!
!The reason I raised this question is that I am worried about the security
!level of using authentication cookies on the client machines. If the
!authentication cookie on a manager's machine is stolen and used on a client
!machine with lower privilege (e.g. operator's machine) on the same intranet,
!will the operator be able to access the privileges granted to the manager? I
!am assuming all the user roles information are stored in the authentication
!cookie.
!
!Thanks.
!Joseph
!
!"Yan-Hong Huang[MSFT]" <yhhuang@online.microsoft.com> wrote in message
!news:2VKAdj9XDHA.1544@cpmsftngxa06.phx.gbl...
!> Hello Joseph,
!>
!> Thanks for posting here.
!>
!> Indeed. Forms authentication is a flexible, scalable and secure system for
!> doing 'cookie' authentication (effectively what you are doing when you use
!> session variables as it relies on the session cookie that ASP.NET sends to
!> the client). A big advantage is that it allows you to persist information
!> by storing it in an encrypted authentication cookie - this is much better
!> in terms of scalability than using a session variable for each user (you
!> can use it across a webfarm without significant changes).
!>
!> Another big advantage of using Forms authentication is that it slots into
!> the rest of the ASP.NET Security framework. This means that code for
!> authentication and authorization works together is a logical way and new
!> code can be slotted in really easily.
!>
!> In general, Session Cookie and Forms Auth cookie are independant and you
!> have to find the logic to achieve what you want.
!> Rather than trying to sync. these 2 timeouts, try logging out the user if
!> the session times out.
!>
!> 1. You can handle one of the events after the sessionState is hooked up
!and
!> check to see if the session is new and if the user is authenticated. If
!so,
!> call the logout method and redirect to loging page.
!> 2. Another way is to set a session variable and check on every page to see
!> if the session variable exists and also the user is authenticated. If not,
!> redirect the user to the login page by calling the LogOut method.
!>
!> Please post here if you have any more concerns.
!>
!> Best regards,
!> Yanhong Huang
!> Microsoft Online Partner Support
!>
!> Get Secure! - [url]www.microsoft.com/security[/url]
!> This posting is provided "AS IS" with no warranties, and confers no
!rights.
!>
!> --------------------
!> !From: "Joseph" <joseph@bluefield.com.hk>
!> !Subject: authentication cookie vs session cookie
!> !Date: Fri, 8 Aug 2003 15:52:50 +0800
!> !Lines: 17
!> !X-Priority: 3
!> !X-MSMail-Priority: Normal
!> !X-Newsreader: Microsoft Outlook Express 6.00.2720.3000
!> !X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300
!> !Message-ID: <eCgSSIYXDHA.384@TK2MSFTNGP12.phx.gbl>
!> !Newsgroups: microsoft.public.dotnet.framework.aspnet.security
!> !NNTP-Posting-Host: 210.176.53.73
!> !Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP12.phx.gbl
!> !Xref: cpmsftngxa06.phx.gbl
!> microsoft.public.dotnet.framework.aspnet.security: 6178
!> !X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
!> !
!> !Hi,
!> !
!> !What are the differences between authentication and session cookies? In
!my
!> !web.config file, I set the cookieless attribute for the sessionState
!> element
!> !to false. Why do we need 2 different types of cookies? Is the session
!> !cookie enough for authentication purpose?
!> !
!> !I do feel uncomfortable to maintain 2 different timeouts (form
!> !authentication cookie and session) in the web.config file. Is it possible
!> to
!> !keep both in sync (i.e. make authentication cookie expires at the same
!time
!> !the session expires)?
!> !
!> !Thanks.
!> !
!> !Joseph
!> !
!> !
!> !
!>
!
!
!