Reputation: 119
MVC Identity Cookie Security best practices for localhost developing and deployment
I have multiple ASP MVC projects on my computer, and, each one of them uses the identity framework along with various controllers that have the [Authorize] attribute.
I find that if I log in with one project, then, debug another on localhost, I can bypass the security in the other projects.
I understand that this is because there is just one cookie for localhost, but, is there any easy way to get around this for debugging purposes, and, is there any security concerns when deploying to the public internet?
Upvotes: 0
Views: 504
Answers (2)
Reputation: 21191
The cookies ASP.NET generates for authentication are encrypted, so not just any code can read the cookie values. If you haven't changed any of the default settings in the various web projects, then they are all using the same name, and (when run locally) being encrypted with the same keys. You can avoid this by
- (a) giving each site a unique cookie name and
- (b) adding a unique machine key to each site (assuming this isn't a .NET Core app).
Even just doing (b) would keep the various sites from reading each other's cookie, although then you'd be dealing with exceptions, since every site that didn't create the cookie would try and fail to decrypt the cookie.
Without a machine key, ASP.NET uses automatically-generated keys for encryption and decryption of things like the auth token and viewstate values; as long as each site has it's own app pool, you should not see auth cookies being shared across sites. You see shared auth sessions locally because you're running a single instance of Cassini/IIS.
I built a simple site for generating machineKey pairs (should probably move it to HTTPS at some point), or you can use the code from it's Github project to generate your keys locally.
Upvotes: 0
Reputation: 35106
As @TiesonT says you need to rename authentication cookie for each of your applications. You can do it in Startup.Auth.cs:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
// other properties
CookieName = "MyCookieName",
});
Alternatively you can set up your applications on your dev machine in IIS and give them each own domain name through hosts file. I.e. MyApplication.dev, MyOtherApplication.dev
Upvotes: 1
Related Questions
- Securing cookies in ASP.NET
- Working with cookie in mvc
- ASP.net MVC: Identity and drop auth cookie
- Identity cookie authentication in ASP.NET MVC
- Securing Cookies for Default MVC 5 Application
- ASP.Net MVC login practice
- Cookie management in ASP.NET MVC
- Best way to handle Login / Authentication in mvc3
- ASP.NET MVC authentication cookie
- ASP.Net MVC Cookies Best Practices