Reputation: 4503
what does forms authentication protect, as opposed to using session variable
I'm working on an application which uses the Session variable to keep track of users, checking on the master page for it's existence otherwise knocking them out to login. I wanted to change this over to Form Authentication as I read it was more secure and the data is encrypted.
Can someone tell me what data is actually encrypted? I tried setting up Forms Authentication on my site, it works fine, users are being tracked properly and can't access pages without logging in. However, when I look at the Request Body, using Fiddler, I see all the forms fields and there content. Can't a hacker use that to change the data and resubmit the request, like they would with a cookie generated from a Session variable? This application is not using SSL, so I understand SSL would encrypt the body, but I thought that's what Forms Authentication would do also. Otherwise what does it encrypt, just the Session ID in the cookie?
Here is the code I was using:
<authentication mode="Forms">
<forms loginUrl="default.aspx" name=".ASPXFORMSAUTH_Test" defaultUrl="home.aspx" protection="All"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
in the login page I tried to manually create the cookie:
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
txtEmail.Text,
DateTime.Now,
DateTime.Now.AddMinutes(30),
false,
txtEmail.Text,
FormsAuthentication.FormsCookiePath);
// Encrypt the ticket.
string encTicket = FormsAuthentication.Encrypt(ticket);
// Create the cookie.
Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, encTicket));
// Redirect back to original URL.
Response.Redirect(FormsAuthentication.GetRedirectUrl(txtEmail.Text, false));
I had also tried:
FormsAuthentication.RedirectFromLoginPage(txtEmail.Text, false);
eariler, got the same results, request body in Fiddler shows all fields being submitted and their contents.
Upvotes: 8
Views: 3508
Answers (3)
Reputation: 2294
You should not handle user credentials or other sensitive data without SSL.
Whether or not you use SSL, the data posted is always visible from the client, and can always be "faked". SSL (if used properly) can protect from "the man in the middle" listening in to the communication, but it's important to realize that it's of close to no use at all if not rigorously implemented, and therefore you should also consider using Strict Transport Security, even if it's not supported by all browsers.
The session ID is not "encrypted", but a session id (in practice) cannot be "guessed". HTTP(S) is stateless, and there is no way you can determine if a request from a certain client in itself is malicious or not. Any request will carry all the cookies from the client, encrypted or not (of course, if the data inside a cookie is encrypted it's hard to fake it's contents).
What can and should be done is to try and protect cookies from escaping their proper context, being subject to e.g. XSS and CSRF attacks. FormsAuthentication uses HTTP only for its cookies as default. To ensure all cookies on your web are HTTP only, put the following in your web.config:
<httpCookies httpOnlyCookies="true" />
To ensure all cookies are bound to a secure connection, use:
<httpCookies requireSSL="true" />
Now, the main reason you should use Forms Authentication before your own is that it's a proven solution. Broken authentication and session management is no 2 on the OWASP Top 10, simply because it's harder than you think to get it right.
Forms Authentication also adds the benefit of being very configurable, and properly encrypting the user credentials in store (if you tell it to do so). The standard implementations are by no means bullet proof in the light of modern GPU based brute force possibilities, but at least it's not done wrong.
If you want to know more about how the standard implementation goes about its business, you can use any of the freely available decompilers.
Upvotes: 2
Reputation: 21475
Switching your approach to Forms Authentication will not make it more secure. It will mean that you will be using a more standardized authentication mechanism so that it is easier to audit your software for authentication-related issues.
Also FormsAuthentication usually is able to work even when the Session expires for the user (or application pool recycles) since it stores the user data in an encrypted cookie with its own expiration policy.
Upvotes: 2
Reputation: 50728
Forms authentication uses the FormsAuthentication object to set a cookie for the user. The cookie contains the identifying information of the user. I'm not sure whether that cookie is HTTP only, as HTTP only cookies are only available on the server, not the client. These cookies are decrypted on the server, it grabs your user ID, etc.
So if it's not an HTTP only cookie, that could be a problem, with the exception of the information is encrypted, so the user would have to decrypt and know the underlying key. Session I thought only the session ID was tracked securely, not the actual info. The user's info is still stored on the server.
Lastly, the first and most important defense that people mention these days is SSL. You can get certificates for as cheap as $10 from what I found...
Upvotes: 1
Related Questions
- When to use Form authentication and windows authentication in asp.net and why?
- The advantage of FormsAuthentication class over session variable
- Using Session to store authentication?
- Does Forms Authentication protect from session hijacking?
- Is Forms Authentication more secure than storing user identity in ASP.NET_session (session hijacking)
- ASP.NET MVC Forms authentication - How it works and persists authentication?
- Sessions and auth in asp.net
- What are the security risks of using forms authentication?
- Question about forms authentication in asp.net
- implementing security with session variables, how it is insecure