Forms Authentication Cookie value vulnerability in

2019-08-10 20:41发布

In asp.net, I am able to login using forms authentication as usual, copy our auth cookie value, log out, add the cookie artificially to the client using the 'Edit This Cookie' addon for Chrome, refresh the (anonymous) landing page and hey presto i'm logged in again. This seems to be a vulnerability - is there any way of fixing it using the the standard forms auth or will I have to do something like use a custom Authorize attribute which overrides the existing one in asp.net mvc?

3条回答
The star\"
2楼-- · 2019-08-10 21:23

You can do that with any cookie/s. You can inspect/copy all the cookies from any given domain, and spoof if you want. You can do that to yourself (only) because its your PC (or user logged in to PC). Obviously if you're on a shared PC, that is a problem (across all your info).

The act of "copying your cookie" is in fact one way malware attempts to steal/hijack your identity (or current session on some web site). That said, unless you have some malware, you can't just "copy cookies" of someone else.

Assuming logout is done, you can ask users to close their browsers so the expired cookie is removed from the (file) system.

查看更多
贪生不怕死
3楼-- · 2019-08-10 21:24

Cookies are always vulerable and we can't do much about that. What we can do is prevent someone from stealing the cookies.

Regarding ASP.NET MVC it does a good job to avoid stealing cookies. Some of the main things it does by default as part of security are:

  1. Encode the strings that are rendered to the view (if you are using Razor don't know about others) to prevent from XSS attacks.

  2. Request validation (stop potentially dangerous data ever reaching the application).

  3. Preventing GET access for JSON data.

  4. Preventing CSRF Using the Antiforgery Helpers

Regarding cookies Microsoft provides HttpOnly feature and this helps to hide the cookies from javascript. The Forms authentication that you are talking about is a HttpOnly cookie means someone can't steal that through JavaScript and it's more safe.

查看更多
Rolldiameter
4楼-- · 2019-08-10 21:43

I don't think this is a bug per se. The following happens during forms authentication

  1. You provide a username/password to the server
  2. Server validates username/password
  3. If valid, the server then sends an encrypted authentication ticket (cookie) to the client with the expiration time (set in the web.config forms authentication section) and username (all encrypted)
  4. On each request that requires authorization, the cookie is decrypted on the server, expiration time is checked and username is used to see if authorized (or getting that role for the requested resource).
  5. When you logout, the expiration time on the cookie is set in the past, therefore, it is not longer a valid cookie

Now, as to why you are seeing what you are seeing... You are copying the cookie before you logout. Thus your copied cookie never registers the logout (moved expiration time). When you reattach, you still have a valid auth cookie. Now, if your forms authentication timeout is set to...let's say 20 minutes...this method would fail if you copy the cookie and wait 21 minutes as by that time, it has expired.

查看更多
登录 后发表回答