Image Caching, HTTPHandler, and FormsAuthentication

Question

Image Caching, HTTPHandler, and FormsAuthentication

Setup:

I am working on a website that uses Formsauthentication with cookies to store an entry ticket. The site also has an HTTPHandler that manages images stored in the database. The handler caches images to be public and expires in 20 minutes. We noticed that since the images have the same life cycle as the page, the images also contain Formsauthentication cookies. Configuration - IIS 6, Win2k server, resource expiration period not included.

Problem:

What we are experiencing is personality A, and falls into a couple of pages. Then Person B gets to the default page without registering and receiving a cookie for Person A, and can see all the data of Person A. We once reproduced the problem by enabling Content Expiration in IIS, but did not play it sequentially, so we are not sure that Content Expiration helped us reproduce it. We assume that images are cached as public, and they also contain a cookie with Formsauthentication , since it is possible for Person B to inadvertently get a Person cookie. We know that this is not an attack on a website.

Has anyone experienced something similar to this behavior? If so, can you give any recommendations on how to reproduce this issue in a consistent manner?

+6

c # cookies iis

Dan Nov 04 '08 at 21:54

source share

7 answers

Dan · Answer 1 · 2008-11-04T22:24:06+0000

We assume that the cookie is in the response header and writes out the same cookie that exists on the Person A machine for Person B. It is important to note that this problem arose with Person A in IE 7 and Person B in FireFox. Also, when user A logged off, he logged off, and user B also logged off, since the ticket for Formsauthentication is no longer valid on the server. So yes, they have differnet cookies, but the same authentication formats in each of the cookies. One of them was created without logging in.

We also found this article, but could not confirm whether this is the reason. http://support.microsoft.com/default.aspx?scid=kb;EN-US;917072

I'll see what LiveHTTP says and report back. Thanks.

Jim nelson · Answer 2 · 2008-11-04T22:17:09+0000

Why does person B get a personal cookie? I assume that you mean that the Person B session cookie is associated with a login ID. This is the essence of the problem.

It seems to me that the login ID is stored in a place that can cross requests - for example, a temporary file or in the database - without binding to it using a session cookie. (A related issue: The page’s output is cached but not connected to it or not obtained using the session cookie.) When the session information is stored or cached, it must be associated with the cookie. Think in terms of session data belonging to brower and not to log in.

I would install the Firefox LiveHTTP extension and consider the request / response headers. My bet: you will see that A and B have different cookies, but on the server they are both associated with the same login ID.

Lee Kowalkowski · Answer 3 · 2008-11-04T22:33:03+0000

Of course, if these images (and CSS and static JS files, etc.) are not used as HTTPS, they will be cached by Internet providers or other proxy servers (well, actually, caches), as well as their files cookie

There, the cache pointer looks something like this:

 Cache-control: no-cache="set-cookie,set-cookie2"

... which should point to caches so as not to cache the set-cookie response headers, but I'm not sure how widely this is supported (even though it's standard).

Avoid set-cookie response headers when serving images, if possible (maybe not easy if you don't have full control over session management). If the user must authenticate to see certain images, then these images should not be publicly cached in any case.

Dan · Answer 4 · 2008-11-04T22:42:22+0000

Sorry, I forgot to mention that all traffic went through port 443 as SSL. We plan to remove the cookie set for the images. However, we are a little embarrassed about how this can happen when all traffic is processed through SSL.

Dan · Answer 5 · 2008-11-05T17:31:50+0000

All traffic was SSL ... IIS log browsing went through port 443. The only caching that was installed was on the images for the public, as mentioned earlier. Our assumption is that as a result, output caching causes a problem.

Chadt · Answer 6 · 2008-12-18T23:24:37+0000

Are you sure that page caching is not activated?

Tracker1 · Answer 7 · 2008-12-19T06:08:48+0000

This can help install Fiddler to examine your HTTP requests, as described above. Also make sure cookies match. Does your handler or form authentication system use a link to static objects? You may have a race condition in your code. and do not block your resources.

Image Caching, HTTPHandler, and FormsAuthentication

More articles: