Forms authentication / cookies

[Nils Magnus Englund]

Hi!

I'm just curious about the use of cookies in forms authentication. The
username and roles are stored in the encrypted cookie, but if a user manages
to crack this cookie - will he be able to modify his own username and roles?
Why doesn't ASP.NET simply use an ordinary session, with nothing but a
session id to send to the client?


Sincerely,
Nils Magnus Englund

[M. Burnett]

If you use forms attribute protection="All" in the web.config, there is
little risk of someone being able to crack or modify their own cookie.
However, if a user ever obtains the machine key, they can create a valid
authentication cookie to authenticate as any user. For this reason you
should always have ASP.NET auto generate the machine key (set in
machine.config) rather than using a hard-coded key.

A related issue is that if you do not use the machine key attribute
IsolateApps in machine.config, a user could potentially create a cookie on
web site and use that to authenticate to another on the same machine.

ASP.NET does not maintain any session information on the server, and that
definitely has an effect on security. There are problems with doing that,
however, and I'm sure the ASP.NET team made a deliberate decision to do that
based on managing all their priorites.

I cover forms authentication and session tokens extensively in my new book,
"Hacking the Code" (ISBN: 1932266658) which should be available later this
month.


Mark Burnett
Windows Server MVP - IIS


"Nils Magnus Englund" <nils.magnus.englund@orkfin.no> wrote in message
news:Oe8Z5G4JEHA.3184@TK2MSFTNGP10.phx.gbl...

> Hi!
>
> I'm just curious about the use of cookies in forms authentication. The
> username and roles are stored in the encrypted cookie, but if a user

manages

> to crack this cookie - will he be able to modify his own username and

roles?

> Why doesn't ASP.NET simply use an ordinary session, with nothing but a
> session id to send to the client?
>
>
> Sincerely,
> Nils Magnus Englund
>
>