asp.net - what does forms authentication protect, as opposed to using session variable -
i'm working on application uses session variable keep track of users, checking on master page it's existence otherwise knocking them out login. wanted change on form authentication read more secure , data encrypted.
can tell me data encrypted? tried setting forms authentication on site, works fine, users being tracked , can't access pages without logging in. however, when @ request body, using fiddler, see forms fields , there content. can't hacker use change data , resubmit request, cookie generated session variable? application not using ssl, understand ssl encrypt body, thought that's forms authentication also. otherwise encrypt, session id in cookie?
here code using:
<authentication mode="forms"> <forms loginurl="default.aspx" name=".aspxformsauth_test" defaulturl="home.aspx" protection="all"/> </authentication> <authorization> <deny users="?"/> </authorization>
in login page tried manually create cookie:
formsauthenticationticket ticket = new formsauthenticationticket(1, txtemail.text, datetime.now, datetime.now.addminutes(30), false, txtemail.text, formsauthentication.formscookiepath); // encrypt ticket. string encticket = formsauthentication.encrypt(ticket); // create cookie. response.cookies.add(new httpcookie(formsauthentication.formscookiename, encticket)); // redirect original url. response.redirect(formsauthentication.getredirecturl(txtemail.text, false));
i had tried:
formsauthentication.redirectfromloginpage(txtemail.text, false);
eariler, got same results, request body in fiddler shows fields being submitted , contents.
you should not handle user credentials or other sensitive data without ssl.
whether or not use ssl, data posted visible client, , can "faked". ssl (if used properly) can protect "the man in middle" listening in communication, it's important realize it's of close no use @ if not rigorously implemented, , therefore should consider using strict transport security, if it's not supported browsers.
the session id not "encrypted", session id (in practice) cannot "guessed". http(s) stateless, , there no way can determine if request client in malicious or not. request carry cookies client, encrypted or not (of course, if data inside cookie encrypted it's hard fake it's contents).
what can , should done try , protect cookies escaping proper context, being subject e.g. xss , csrf attacks. formsauthentication uses http cookies default. ensure cookies on web http only, put following in web.config:
<httpcookies httponlycookies="true" />
to ensure cookies bound secure connection, use:
<httpcookies requiressl="true" />
now, main reason should use forms authentication before own it's proven solution. broken authentication , session management no 2 on owasp top 10, because it's harder think right.
forms authentication adds benefit of being configurable, , encrypting user credentials in store (if tell so). standard implementations no means bullet proof in light of modern gpu based brute force possibilities, @ least it's not done wrong.
if want know more how standard implementation goes business, can use of freely available decompilers.
Comments
Post a Comment