Forms Authentication Cookie value vulnerability in asp.net

2
votes

In asp.net, I am able to login using forms authentication as usual, copy our auth cookie value, log out, add the cookie artificially to the client using the 'Edit This Cookie' addon for Chrome, refresh the (anonymous) landing page and hey presto i'm logged in again. This seems to be a vulnerability - is there any way of fixing it using the the standard forms auth or will I have to do something like use a custom Authorize attribute which overrides the existing one in asp.net mvc?

3
asp.netasp.net-mvcauthenticationforms-authentication
have you enabled cookie protection mechanism in web.config before doing this?Furqan Hameedi
<forms protection="All" is set if that's what you meanDavidWainwright
That's cookie stealing! In first case you should not allow any one to copy the cookie :)VJAI
How do this question differ from "if someone copies my door key, they can enter my home. How do I fix that?"?Anders Lindén

3 Answers

3
votes

I don't think this is a bug per se. The following happens during forms authentication

  1. You provide a username/password to the server
  2. Server validates username/password
  3. If valid, the server then sends an encrypted authentication ticket (cookie) to the client with the expiration time (set in the web.config forms authentication section) and username (all encrypted)
  4. On each request that requires authorization, the cookie is decrypted on the server, expiration time is checked and username is used to see if authorized (or getting that role for the requested resource).
  5. When you logout, the expiration time on the cookie is set in the past, therefore, it is not longer a valid cookie

Now, as to why you are seeing what you are seeing... You are copying the cookie before you logout. Thus your copied cookie never registers the logout (moved expiration time). When you reattach, you still have a valid auth cookie. Now, if your forms authentication timeout is set to...let's say 20 minutes...this method would fail if you copy the cookie and wait 21 minutes as by that time, it has expired.

1
votes

Cookies are always vulerable and we can't do much about that. What we can do is prevent someone from stealing the cookies.

Regarding ASP.NET MVC it does a good job to avoid stealing cookies. Some of the main things it does by default as part of security are:

  1. Encode the strings that are rendered to the view (if you are using Razor don't know about others) to prevent from XSS attacks.

  2. Request validation (stop potentially dangerous data ever reaching the application).

  3. Preventing GET access for JSON data.

  4. Preventing CSRF Using the Antiforgery Helpers

Regarding cookies Microsoft provides HttpOnly feature and this helps to hide the cookies from javascript. The Forms authentication that you are talking about is a HttpOnly cookie means someone can't steal that through JavaScript and it's more safe.

0
votes

You can do that with any cookie/s. You can inspect/copy all the cookies from any given domain, and spoof if you want. You can do that to yourself (only) because its your PC (or user logged in to PC). Obviously if you're on a shared PC, that is a problem (across all your info).

The act of "copying your cookie" is in fact one way malware attempts to steal/hijack your identity (or current session on some web site). That said, unless you have some malware, you can't just "copy cookies" of someone else.

Assuming logout is done, you can ask users to close their browsers so the expired cookie is removed from the (file) system.