Geek Answers Handbook

Is form authentication ticket authentication with PHP?

I am a PHP developer who knows almost nothing about .NET. I was asked by the .NET guys at work to translate the .NET code that decodes the authentication ticket to PHP so that the PHP code can set the appropriate session variables for my application. Is it possible? I look at the code and it puzzles me. I will continue to try if someone tells me that this is not a waste of time, for some reason I don’t even know. Thanks for any help!

Additional Information: Is it even possible to grab a ticket using PHP in the first place?

+3
source share
4 answers

As Gumbo said, you need to consider the algorithms involved. Asp.net validation ticket uses:

  • Create serialized authentication ticket forms. Byte array representation of ticket created.
  • Sign ticket forms authentication. Authentication of the message code value (MAC) for the byte array is calculated using the algorithm and the key specified in the validation and validationKey attributes of the machineKey element. By default, the SHA1 algorithm is used.
  • Encrypt ID ticket. The second byte array that was created is encrypted using the Encryption Method Class FormsAuthentication. The encryption method internally uses an algorithm and a key, certain decryption and decryption of the Key attributes on the machine Key element. ASP.NET version 1.1 uses the default 3DES algorithm. ASP.NET version 2.0 uses Rinjdael (AES) by default.
+1
source

First open the machine.config file and add a machine input entry. Set the decryption key and the verification key according to the randomly generated machine keys generator for aspnet 2.0.

Be sure to use the default settings, i.e. AES and SHA1. Now that you have the AES decryption key, save it somewhere because you will need it on the php side. In your dot network app go to web.config and get the auth cookie name, usually something like .ASPXAUTH

Now go to the PHP side. Download and configure the AES encryption library such as http://phpseclib.sourceforge.net/documentation/

Then in PHP you can do something like this (this uses phpsec lib):

set_include_path(get_include_path() . PATH_SEPARATOR . 'phpseclib'); include('Crypt/AES.php'); $authCookie = $_COOKIE['_ASPXAUTH']; echo $authCookie; $aes = new Crypt_AES(); $aes->setKey('BCDCBE123654F3E365C24E0498346EB95226A307857B9BDE8EBA6198ACF7F03C'); echo $aes->decrypt($authCookie);

Now what eventually comes out will be to first have PM + SHA1 hash + byte representation of the auth ticket. You must convert serialized bytes to a string to make it readable. Can anyone add on this last step?

+5
source

From Microsoft KB

A forms authentication ticket is used to tell the ASP.NET application who you are. In this way, the ticket is built block authentication forms security.

The ticket is encrypted and signed using the configuration element of the server Machine.config file. ASP.NET 2.0 uses decryptionKey and a new decryption element attribute to encrypt forms authentication tickets. The decryption attribute allows you to specify the encryption algorithm to use. ASP.NET 1.1 and 1.0 use 3DES encryption, which is not configurable. Intervention with the cost of the ticket is determined by the inability to decrypt the ticket on the server. As a result, the user will be redirected to the login page.

If the application is deployed to a Web farm, you must ensure that the configuration files on each server have the same value for the validationKey and decryptionKey attributes in the tag, which are used to hash and decrypt the ticket, respectively. You must do this because you cannot guarantee which server will process consecutive requests. For more information on FormsAuthenticationTicket Encryption and Web Farm Deployment, consider the following MSDN website:

So, you can indicate which encryption / decryption algorithm the key follows. You can use the same decryption logic in PHP.

+1
source

If you know the decryption algorithm, you can implement it in PHP.

0
source

More articles:


All Articles