Forms authentication security risk

Question

I am using VSTS 2008 + C# + .Net 3.5 + IIS 7.0 + ASP.Net. In my understanding of Forms authentication, a session variable (used for authentication identifier -- i.e. when a user passed authentication, the user will have such a session variable, and the session variable is implemneted as a cookie) is established for authenticated user.

My concern of this mode is, each time user access a page in the web site, the session variable will be transferred to server side. It may be sniffered by hacker, and hacker could use such session variable to pretend to be the end user? Is that a security risk?

If it is a security risk, then we have to use https all the time with Forms authentication?

thanks in advance, George

Answer 1

Yes! Just make sure to add: requireSSL="true" on your web.config forms tag

<authentication mode="Forms">
    <forms loginUrl="~/Account/LogOn" timeout="2880" requireSSL="true" />
  </authentication>

Then you can also use some rewrite to make sure https is used on pages or directories that require authenntication. On MVC you can use the [RequireHttps] filter attribute.

      <rewriteMap name="SSL_Required_pages" defaultValue="">
        <add key="/simulacao-seguro-automovel.aspx" value="/simulacao-seguro-automovel.aspx" />
      </rewriteMap>
      <rule name="Enforce SSL pages">
        <match url="(.*)" />
        <conditions>
          <add input="{SSL_Required_pages:{HTTP_URL}}" pattern="(.+)" />
          <add input="{HTTPS}" pattern="off" />
          <add input="{HTTP_HOST}" pattern="mysite\.com" />
        </conditions>
        <action type="Redirect" url="https://mysite.com/{R:1}" redirectType="Permanent" />
      </rule>
      <rule name="Enforce SSL to secure directories">
        <match url="(.*)" />
        <conditions>
          <add input="{PATH_INFO}" pattern="^/admin/|^/admin|^/fale-conosco/|^/fale-conosco" />
          <add input="{HTTPS}" pattern="off" />
          <add input="{HTTP_HOST}" pattern="mysite\.com" />
        </conditions>
        <action type="Redirect" url="https://www.mysite.com/{R:1}" redirectType="Permanent" />
      </rule>

Answer 2

The user's session ID is not used as part of the authentication cookie - the authentication cookie, and the session cookie are separate. So if parts of your web site required authentication then the session ID would not be enough to get in.

Having said that, if a hacker is sniffing traffic then they're going to see the authentication cookie as well, and so could recreate both.

Answer 3

I've had similar concerns in connection to a request from one of our partners... ( See in details here: https://stackoverflow.com/questions/1367574/rewriting-urls-using-reverse-proxy )

As it turns out this "legitimate" process is actually using a hacking method called the "middle man". It technically pretends to be the user by keeping the cookie ID in its own session context while dealing with the server and keep a sparate one for the client computer.

So, in theory it could be done and it is a threat. Using SSL is the right way to go in my opinion if the data is in any way sensitive.

---

Funny enough in this Microsoft Support article http://support.microsoft.com/kb/910443 the phrasing makes you believe that it is actually the same for each request...

Forms authentication cookie is nothing but the container for forms authentication ticket. The ticket is passed as the value of the forms authentication cookie with each request and is used by forms authentication, on the server, to identify an authenticated user.

The cookie could be encrypted, using 3DES encryption. This could be enabled by setting the protection attribute to Validation of the authentication section of the web.config file. Using this setting the server verifies the data on the cookie for each transaction. This adds a little overhead though...

Answer 4

Yes, a session id can be stolen by sniffing the traffic, so there is a security risk involved with using the session for identification. It's generally considered to be safe enough for non-critial sites, but if you have a site where the security is critical (banking, et.c) you need to use SSL to be safe enough.

Answer 5

You could refer to this question for some more information. This is a potential security risk and to provide a truly secure connection you would have to use HTTPS.