I have an ASP.NET web application using forms membership authentication. We have recently been penetration tested and an issue that was flagged was the ability to steal a users account. If the .ASPXAUTH cookie value was copied from a user before logging out a user could log in as a different user, edit their cookie to match the copied value and get all of their privileged.
On logging out I have tried:
Removing the cookie. I could successfully do this but it doesn't invalidate the FormsAuthenticationTicket.
Using FormsAuthentication.SignOut() but found it does not prevent the attack
I personally dont see this as a problem, I believe the only way it could be stolen is if a use manages to gain access to an authenticated user this said I need to fix this problem to appease the penetration testers.
Any ideas would be greatly appreciated!
Thanks
On logging out I have tried: Removing the cookie.
I could successfully do this but it doesn't invalidate the FormsAuthenticationTicket.
Actually when you remove the cookie, you remove it from your user - you can not de-activate it, so if some one get it, he can still use it.
The solutions can be:
- Save the status of the authentication cookie also on server.
- Connect the status of logged user with their session.
Read more about also here: Can some hacker steal the cookie from a user and login with that name on a web site?
and Form Authentication - Cookie replay attack - protection
and http://support.microsoft.com/default.aspx?scid=kb;en-us;900111
I think the only real way around this is to use SSL to protect the cookies.
Even if you do something to invalidate the cookie server-side on logout, that doesn't prevent someone from replaying the cookie while the legit user is still logged in. This means any other solutions will leave you vulnerable. Maybe not for too long a time, but for some window.
