Form authentication security risk
I am using VSTS 2008 + C # + .Net 3.5 + IIS 7.0 + ASP.Net. In my understanding of forms authentication, a session variable (used for the authentication id, i.e. when the user is authenticated, the user will have such a session variable and the session variable will be implemented as a cookie) is set for the authenticated user.
My concern with this mode is that every time a user accesses a page on the website, the session variable will be passed to the server. Can it be weakened by a hacker and a hacker can use such a session variable to pretend to be an end user? Is this a security risk?
If this is a security risk, do we need to use https all the time with forms authentication?
thanks in advance george
source to share
I had similar issues due to a request from one of our partners ... (For more details see here https://stackoverflow.com/questions/1367574/rewriting-urls-using-reverse-proxy )
As it turns out, this "legitimate" process actually uses a hacking technique called the "middle man". It technically pretends to be the user by storing the cookie ID in its own session context when working with the server and keeping it separate for the client computer.
So in theory it can be done, and it is a threat. Using SSL is the right way in my opinion if the data is sensitive in any way.
It's funny that in this Microsoft support article http://support.microsoft.com/kb/910443 the phrase leads you to believe that it's actually the same for every request ...
A forms authentication cookie is nothing more than a form authentication container. The ticket is passed as a forms authentication cookie value with each request, and is used to authenticate the user to authenticate with the server.
The cookie can be encrypted using 3DES encryption. This can be enabled by setting the security attribute in the "Verify that the authentication section of the web.config file is correct". Using this parameter, the server validates the data in the cookie for every transaction. It adds a bit of overhead though ...
source to share
The user's session ID is not used as part of the authentication cookie - the authentication cookie and the session cookie is separate. Therefore, if parts of your website require authentication, the session ID will not be sufficient to sign in.
Having said that, if a hacker sniffs the traffic, they are also going to look at the authentication cookie and so can recreate both.
source to share
Yes, the session ID can be stolen by sniffing traffic, so there is a security risk associated with using the session for identification. It is generally considered reasonably secure for non-critical sites, but if you have a site where security is important (banking, et.c), you need to use SSL for security.
source to share
Yes! Just remember to add: requireSSL = "true" in the form's web.config tag
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" requireSSL="true" />
</authentication>
Then you can also use some rewrite to make sure https is used on pages or directories that require authentication. In MVC, you can use the [RequireHttps] filter attribute.
<rewriteMap name="SSL_Required_pages" defaultValue="">
<add key="/simulacao-seguro-automovel.aspx" value="/simulacao-seguro-automovel.aspx" />
</rewriteMap>
<rule name="Enforce SSL pages">
<match url="(.*)" />
<conditions>
<add input="{SSL_Required_pages:{HTTP_URL}}" pattern="(.+)" />
<add input="{HTTPS}" pattern="off" />
<add input="{HTTP_HOST}" pattern="mysite\.com" />
</conditions>
<action type="Redirect" url="https://mysite.com/{R:1}" redirectType="Permanent" />
</rule>
<rule name="Enforce SSL to secure directories">
<match url="(.*)" />
<conditions>
<add input="{PATH_INFO}" pattern="^/admin/|^/admin|^/fale-conosco/|^/fale-conosco" />
<add input="{HTTPS}" pattern="off" />
<add input="{HTTP_HOST}" pattern="mysite\.com" />
</conditions>
<action type="Redirect" url="https://www.mysite.com/{R:1}" redirectType="Permanent" />
</rule>
source to share