ASP.NET MVC 3 Forms Authentication security risk

Question

I am using ASP.Net MVC3 and IIS 7.0. On my site I have implemented Forms Authentication over https (requireSSL="true"). I have set some expiration date(e.g 5 days) for the .ASPXAUTH cookie. All works good, but after successful login from one browser I can copy (without problem) cookie .ASPXAUTH to another browser or another computer and enter on my site without a login and password.

How can I do so that I could go to the site only from the browser or the computer on which I typed login password and could not access from another browser, on which I copied the .ASPXAUTH cookie?

Thanks in advance, Olexiy

Answer 1

You could incorporate a hash of the user agent and the client's IP address in the auth cookie (see ASP.Net Store User Data in Auth Cookie for some info on how you could go about that).

But

Beware mobile browsers and proxies - a user on a roaming network can change IP address very frequently, and a proxy will present a single IP for multiple users. Mix-in the two, as well, where, like me, a user might migrate from home wi-fi to a mobile network and then to a corporate wi-fi with a proxy, and you'll have people getting signed out quite frequently. Incorporating the user-agent hash also means the client installing OS or browser updates can sign them out, too.

Why not instead go for two cookies: One which is persistent and which identifies the user, and another that's session-only and which tracks whether the user has signed in on this visit? Then you do something like Amazon does - require sign-in for anything that involves money, or changing/viewing personal data. When they sign in you can refresh the auth cookie as well.

That said - realistically speaking, copying of the auth cookie is actually quite a low risk - especially if you have timeout set to a few days only. If someone has got into the situation where a worm/hacker/thief has access to their authentication cookies then they have much bigger problems already.

Answer 2

You can't do that with forms authentication. The whole concept around forms authentication is that it relies on cookies on the client to track authenticated users. This shouldn't be a concern for you because all major websites work this way - if you have a valid cookie, the client browser no longer matters. You don't even need to use a browser. You could write a console application sending an HTTP request to your site and sending the cookie along this request and the user will still be authenticated.

There's no risk that you should be concerned about. You've already done the necessary by enabling SSL meaning that this cookie will never be sent over an un-encrypted channel.