asp.net - what does forms authentication protect, as opposed to using session variable -


i'm working on application uses session variable keep track of users, checking on master page it's existence otherwise knocking them out login. wanted change on form authentication read more secure , data encrypted.

can tell me data encrypted? tried setting forms authentication on site, works fine, users being tracked , can't access pages without logging in. however, when @ request body, using fiddler, see forms fields , there content. can't hacker use change data , resubmit request, cookie generated session variable? application not using ssl, understand ssl encrypt body, thought that's forms authentication also. otherwise encrypt, session id in cookie?

here code using:

    <authentication mode="forms">   <forms loginurl="default.aspx" name=".aspxformsauth_test" defaulturl="home.aspx" protection="all"/> </authentication> <authorization>   <deny users="?"/> </authorization>

in login page tried manually create cookie:

                    formsauthenticationticket ticket = new formsauthenticationticket(1,                     txtemail.text,                     datetime.now,                     datetime.now.addminutes(30),                     false,                     txtemail.text,                     formsauthentication.formscookiepath);                  // encrypt ticket.                 string encticket = formsauthentication.encrypt(ticket);                  // create cookie.                 response.cookies.add(new httpcookie(formsauthentication.formscookiename, encticket));                  // redirect original url.                 response.redirect(formsauthentication.getredirecturl(txtemail.text, false));

i had tried:

formsauthentication.redirectfromloginpage(txtemail.text, false);

eariler, got same results, request body in fiddler shows fields being submitted , contents.

you should not handle user credentials or other sensitive data without ssl.

whether or not use ssl, data posted visible client, , can "faked". ssl (if used properly) can protect "the man in middle" listening in communication, it's important realize it's of close no use @ if not rigorously implemented, , therefore should consider using strict transport security, if it's not supported browsers.

the session id not "encrypted", session id (in practice) cannot "guessed". http(s) stateless, , there no way can determine if request client in malicious or not. request carry cookies client, encrypted or not (of course, if data inside cookie encrypted it's hard fake it's contents).

what can , should done try , protect cookies escaping proper context, being subject e.g. xss , csrf attacks. formsauthentication uses http cookies default. ensure cookies on web http only, put following in web.config:

<httpcookies httponlycookies="true" />

to ensure cookies bound secure connection, use:

<httpcookies requiressl="true" />

now, main reason should use forms authentication before own it's proven solution. broken authentication , session management no 2 on owasp top 10, because it's harder think right.

forms authentication adds benefit of being configurable, , encrypting user credentials in store (if tell so). standard implementations no means bullet proof in light of modern gpu based brute force possibilities, @ least it's not done wrong.

if want know more how standard implementation goes business, can use of freely available decompilers.


Comments

Post a Comment

Popular posts from this blog

jquery - How can I dynamically add a browser tab? -

since using iframes house external pages are, accounts "not preferred method" , disallowed sites (flickr, one), want dynamically generate browser tabs. e.g., when user submits form, want dynamically generate tab on browser in response submitted. e.g., might want add new tab url like: http://www.bigsurgarrapata.com/contact how in jquery? you want form target attribute action attribute. http://www.w3schools.com/tags/att_form_target.asp browsers have ultimate control on result of target attribute open new tab value of _blank. <form action="contact_submit.php" target="_blank" method="post">
Read more

node.js - Getting the socket id,user id pair of a logged in user(s) -

i have web application done using node js , in it,i have authentication system requires users log in before can access pages. have 2 pages,the homepage , updates page. from read docs,a new socket id issued when user opens tab in browser. me being admin,i know socket id of logged in user , more so,the socket id,logged in user id pair logged in users. what method can use socket id,logged in user id pair make sure broadcast realtime info users online?.
Read more

keyboard - C++ GetAsyncKeyState alternative -

i using windows.h library's getasynckeystate function define key pushed on keyboard . here program returns int value of pushed key example. #include <iostream> #include <windows.h> using namespace std; int main (){ char i; for(i=8;i<190;i++){ if(getasynckeystate(i)== -32767){ cout<<int (i)<<endl; } } return 0; } but trying make opengl simple game , function appeared slow . there function not need cycle 180 times , if statement . thanks you're trying make opengl game, you're going use glfw. if that's case can away using glfwgetkey() such: if (glfwgetkey(glfw_key_up) == glfw_press) {...} if (glfwgetkey(glfw_key_down) == glfw_press) {...} that method nicely explained in tutorial 6 opengl-tutorial.org . should start first tutorial of beginners tutorials , later intermediate tutorials . if you're going make win32 window can listen wm_keydown or wm_keyup messages , virtua
Read more