Prevent forms authentication cookie to be used accross browsers

Question

I am using forms authentication in an ASP.NET application and I realised that I can copy the authentication cookie content after I've already logged in, manually create the cookie in another instance of another browser and, after that, the application logs in automatically from the second browser.

I'd like to know if there's a way to prevent this (I don't know... something like making the authentication ticket somehow liked to the browser instance) as, as it is now, someone can steal the cookie and use it in a different computer to access the same account with no need of login or password.

Answer 1

There's not a great deal you can do. Jeff Prosise has an interesting article here where he tries creating an HttpModule.

However you can see this isn't that effective:

...User-Agent headers are the last line of defense. And User-Agent headers are easily spoofed by someone aware that User-Agent headers are being used to validate session IDs.

Personally I wouldn't lose any sleep over it.

Answer 2

No, the browser doesn't send any unique identifyer that you can use to pinpoint a single browser instance. You could store the UserAgent string and verify that each time the user request a page to reduce the risk of identity theft, but that won't elliminate it.

To make a really safe connection you would have to use SSL.

Answer 3

Take the User Agent and embed that in your cookie? Obviously, this would only work if your cookie was encrypted.

eg.

string plainFormCookie=GetUsername()+etc()+Request.UserAgent;
// encrypt cookie afterwards