Best IT Recipes

Cookie Vulnerability Forms Authentication in asp.net

In asp.net, I can log in using basic authentication, copy our cookie for authorization, log out, add cookies artificially to the client using the “Edit this cookies” add-on for Chrome, update the (anonymous) landing page and hey premo I logged in again. This is apparently a vulnerability - is there a way to fix it using standard auth forms or will I need to do something, for example, use the special Authorize attribute, which overrides the existing mvc in asp.net?

+1
authentication asp.net-mvc forms-authentication
Jun 26 2018-12-12T00:
source share
3 answers

Cookies are always unbearable, and we can not do much about it. We may not allow anyone to steal cookies.

As for ASP.NET MVC, it does a good job of avoiding theft of cookies. Some of the main things that it does by default as part of security:

  • Encode the lines that appear in the view (if you use Razor, you don’t know about others) to prevent XSS attacks.

  • Request verification (stop potentially dangerous data ever reaching the application).

  • Prevent GET access for JSON data.

  • Prevent CSRF Using Antiforgery Helpers

Regarding cookies, Microsoft provides the HttpOnly function and this helps to hide cookies with javascript. The authentication of the forms you are talking about is an HttpOnly cookie that someone cannot steal it through JavaScript and is more secure.

+1
Jun 26 '12 at 14:50
source share

I do not think this is a mistake in itself. When authenticating forms, the following occurs:

  • You provide username / password for server
  • Server verifies username / password
  • If it is valid, the server then sends the encrypted authentication ticket (cookie) to the client with an expiration date (set in the authentication section of the web.config forms) and username (all encrypted)
  • In each request that requires authorization, the cookie is decrypted on the server, the expiration time is checked, and the username is used to check whether it is allowed (or get this role for the requested resource).
  • When you log out, the cookie expiration time is set in the past, so it is no longer a valid cookie

Now about why you see, what you see ... You copy the cookie before logging in. Thus, your copied cookie never logs out (the transition time). When you reconnect, you still have a valid cookie. Now, if your authentication form timeout is set for your form ... let them say 20 minutes ... this method will not work if you copy the cookie and wait 21 minutes, and by then it has expired.

+3
Jun 26 '12 at 14:25
source share

You can do this with any cookie / s. You can check / copy all cookies from any domain and push if you want. You can do it yourself (only) because your computer (or the user is logged on to the PC). Obviously, if you are working on a shared computer, this is a problem (in all your information).

The act of "copying your cookie" is actually one of the ways in which an attacker tries to steal / steal your identity (or the current session on some website). However, if you do not have malware, you cannot simply “copy cookies” from another user.

Assuming logout complete, you can ask users to close their browsers so that the expired cookie is deleted from the system (file).

0
Jun 26 2018-12-12T00:
source share


More articles:


All Articles