Reputation: 166
How ASP.NET authentication ticket is encrypted?
I am using ASP.NET Forms authentication method and use certain encryption and decryption key in machinekey tag and set slidingexpiration to true and 20 minutes timeout. Now I have a question: If anyone steals my cookie, can he/she login with my account anywhere? (because the encryption is always constant) And if the answer is no, how the cookie values change in every request?
Thanks
EDITED: If the cookies change in every request, where the encryption key is stored? And how the application knows what is the key to decrypt data?
Upvotes: 2
Views: 2836
Answers (1)
Reputation: 1749
The cookie holds the Forms authentication ticket. With sliding authentication, the date that is stored in the ticket could be updated with any request that is checked by the server. That is why you would see cookie values changing.
The cookie (or ticket) is vulnerable to theft and can certainly be used to hijack a session. See this Microsoft article for more information.
Upvotes: 2
Related Questions
- What algorithm Asp.net Identity uses to encrypt the password?
- Is forms Authentication Ticket always Encrypted?
- ASP.NET MembershipProvider -- How exactly does it do encryption?
- What inputs go into encrypting / creating an ASP.NET Forms Authentication Ticket?
- How does ASP.NET's Authentication module work?
- ASP.NET SSL Authentication Ticket Security?
- What encryption method does the .NET FormsAuthentication.Encrypt() method use?
- Authentication ticket ( Forms authentication )
- What encryption algorithm does the .net membership provider use?
- Does the asp.net login control encrypt the password field?