Reputation: 15420
Form authentication cookie vulnerability
I have a question regarding Form authentication cookie vulnerability. In JavaScript we can use document.cookie to access form authentication cookie value (assuming it is not httponly). This value is encrypted. I have read in many blogs that if someone get's this value our security is breached. My question is how can he(attacker) breach it(the credentials inside the cookie) since the form authentication encryption method uses machine key to encrypt that cookie, so to decrypt it, the same machine key would be needed? Isn't that so? Can you clarify me on this that how that cookie value is vulnerable since the attacker should have my machine key with him only then he can decrypts it? Am I right here?
Upvotes: 0
Views: 522
Answers (2)
Reputation: 2084
What I've done, don't know how much it actually helps, but I've never seen any breaches (although there are some 100 attempts made) is to pair the cookie with an IP-address, which means that I look up if the call comes from the same IP-address as the previous call, if not, it resets the cookie and you'll have to log in again. This isn't exactly viable for all sites, but in my case it was more important to add some measures of security rather than allowing for mobility.
This approach is probably nicely suceptible for MITM attacks, but you can never protect yourself against all eventualities except if you have a monster budget and no restrictions regarding performance and accessibility.
Upvotes: 1
Reputation: 141588
how can he(attacker) breach it(the credentials inside the cookie) since the form authentication encryption
He doesn't have to decrypt the encrypted cookie. He could just use the encrypted value of the cookie and become you.
The server does the encryption, so it doesn't know that the browser giving it the cookie was who the cookie was originally issued to.
Using an extension like Modify This Cookie (or anything else that achieves that functionality) would allow me to set my cookie to your encrypted value if I were able to obtain it.
Ironically, the very same question was asked about StackOverflow. Have a look at Troy's post for further information.
Upvotes: 2
Related Questions
- Securing asp.net webform cookie not working
- Secure Authentication cookie Asp.Net
- .Net Forms Authentication Issue - 401, even though cookie set
- Authentication Cookie in asp.net
- Forms Authentication Cookie value vulnerability in asp.net
- Cookie and Authentication -ASP.net
- ASP.NET Authentication cookie
- Cookie-based Forms Authentication with Cookies disabled
- ASP.Net Cookie Problems
- ASP.NET FormsAuthentication Cookie Problem