Geek Answers Handbook

Is there another way to do ASP.Net forms authentication that is already built and verified?

Like many people, I passed the authentication of ASP.Net Forms because she already wrote and wrote our own security code, which was usually a bad idea for us.

With current problems with ASP.Net, I think this may be the right time to look for alternatives.

From what I understand, Microsoft typically stores things on the client side because it simplifies working on server farms without requiring database access calls.

I don’t like server farms anyway, and I would just like to have an opaque cookie that demonstrates my distrust of callers.

Is there a decent solution that has already been proven?

Update: to clarify my question. I am talking about the authentic part of the forms authentication token that I would like to replace. The back is pretty easy to replace, you can implement interfaces to easily store your users and roles. You can also use existing libraries, such as http://www.memberprotect.net/ , which were mentioned here.

I want to change the front end of the process to use a token that does not provide the client with any leverage. Maintaining the existing rear infrastructure would be useful, but not essential.

+4
source share
4 answers

I am working on an HttpModule that basically does what you are looking for. When FormsAuthenticationCookie and FormsAuthenticatedTicket are formed, before sending the response to the client (i.e., during the postback processing on the login / action page), all information about the cookie and the ticket is stored on the server. In addition, UserData from the ticket is transferred to the server (if any) and the SHA-512 somersault of other properties in the ticket is replaced with the GUID, which serves as a key in the storage on the ticket server side,

Checking cookies and tickets compares all the properties provided by the client (optionally, including their IP address) to all the properties that were known about them at the time of their release. If something does not match, they are removed from the request before the FormsAuthenticationModule even starts to work. If everything matches, the UserData server will get stuck back in FormsAuthTicket if you have any modules or code that depend on it. All this is transparent. In addition, it can detect suspicious and overtly malicious requests and inserts a random delay in processing. It also has some explicit workarounds.

The demo application actually allows you to create / modify your cookies and ticket values ​​on the server, and the server encrypts your ticket for you using machine keys. Thus, you can prove to yourself that you cannot create a ticket / cookie that passes the server check if you did not write the exact data set to the server (which should not be possible under normal circumstances).

-Scott

+4
source

If you have the keys in the web.config file and the attacker gets to it, they are pretty much executed.

If this is not the case (they do not receive the keys to your .config), then afaik the oracle capital should not allow them to sign a new auth ticket. The document explains the ability of encryption using cbc mode, ending with a tiny piece of garbage. This should be enough to make it unacceptable.

As for the video in which they receive the keys using the tool, it can be used to install dotnetnuke. By default, dotnetnuke has these keys in the web.config file.

Implement a workaround, keep your keys at your web.config site level if you are not using webresource.axd and scriptresource.axd, disable these handlers and apply the patch as soon as ms releases it.

+1
source

I just recommend taking a look at the InetSolution MemberProtect product, it is a security-designed component for banking and financial services, but it is widely applicable to any website developed on ASP.NET or an application built on top. NET It provides support for encrypting user information and a variety of authentication methods from simplified to very advanced, and various methods and functions are intended to be used as the developer sees fit, so this is not a canned solution, but a very flexible one, it may or may not be a good thing depending on the specific situation. It is also a very solid foundation for creating new websites and applications in general.

You can find out more about this at http://www.memberprotect.net

I am a developer for MemberProtect and I work in InetSolution :)

0
source

This is not a question without questions, but I must say that I think your logic is suspicious. You should not think about alternative authentication solutions, but the recently announced ASP.NET vulnerability should not force you to abandon the current (supposedly working) solution. I'm also not quite sure what the relevance of this comment is:

From what I understand, Microsoft typically stores things on the client side, because it simplifies working with server farms without requiring database access calls.

What is this vulnerability that makes you think that ASP.NET auth forms are broken more than another solution?

The details of the MS consultant seem to suggest that virtually any other authentication system could be exposed to a similar attack vulnerability. For example, any solution that uses the web.config to store settings will still have its own settings for the world, suggesting a successful attack.

The real solution here is not to change the security, but to apply the published workaround to the problem. You can switch authentication providers only to find that you are still vulnerable and your efforts won nothing.

Regarding tokens / sessions: you need to click something on the client for authentication (whether you call it a token or not), and this is not this part of the process that causes the current security problem: this is the way the server responds to certain calls that make this The secret is vulnerable to attack.

0
source

More articles:


All Articles