ASP Session Algorithm generate cookie via PHP

Question

I am writing a PHP script that needs to integrate with an ASP.NET login (which happens to be built on Sitecore, not sure if that matters). I need to replicate the ability to generate/login/encrypt a session & data cookie, and also detect if the user is logged in by detecting/decrypting a session & data cookie. Both the PHP & ASP scripts can share the same MS SQL database and are on the same filesystem, so that's not an issue. Most of my issues are just with setting/reading the ASP cookies within PHP.

I have 2 cookies set by ASP.NET,

ASP.NET_SessionId and .ASPXAUTH

It is my belief that the ASP.NET_SessionId is for the session obviously and .ASPXAUTH is for the data.

My questions are:

It is my belief that in order to know if someone is logged in (or login someone in) via an ASP session, in PHP, I will need to compare the session data with the sessions stored on the filesystem, does anybody know where (or what determines where) these are located?
Does anybody know the algorithm used to encrypt/decrypt the ASPXAUTH cookie? I'm aware of the standard "Encrypt" and "Decrypt" methods, but I want to know the code that makes them run precisely. IE is it first some sort of data array that is then salted and hashed? Do the bytes of the output need to be shifted/converted? If so, in what order/way?

I appreciate any assistance, I will award an answer for the person that is the most helpful in answering either of these questions in the next few days.

Currently I have been able to reproduce cookie generation via setcookie() in PHP. That is, I can login via ASP.NET app, take the cookie data, plug it into the PHP app and logout via the ASP .NET app. For those who are going to troll me, I am well aware this is possible and I do not NEED to explain why I am doing this, but it involves a lot of time, money and reasons, so yes, I do need to use BOTH PHP & ASP.NET.

THANKS!

UPDATE

I believe I was partially able to decrypt the cookie using this answer: https://stackoverflow.com/a/988018/775586 Anybody know how to finish it off?

score 2 · Answer 1 · answered Jul 03 '12 at 17:52

2

It is my belief that in order to know if someone is logged (or login someone) in via an ASP session, in PHP, I will need to compare the session data with the sessions stored on the filesystem, does anybody know where (or what determines where) these are located?

Nowhere on the file system. By default ASP.NET stores session data in the memory of the application domain. So you can simply forget about accessing this part of the memory from PHP. There are other modes that you could choose which allow you to store the ASP.NET session data either out-of-proc (in a dedicated Windows Service) or in SqlServer. For more information about the different ASP.NET Session modes I invite you to read the following article.

Does anybody know the algorithm used to encrypt/decrypt the ASPXAUTH cookie? IE is it first some sort of data array that is then salted and hashed? If so, in what order/way?

It uses the FormsAuthentication.Encrypt and Decrypt methods. They in turn use whatever algorithm and keys you have defined in your machineKey section in your web/machine.config files. For more information about how Forms Authentcation works in ASP.NET I invite you to read the following article.

answered Jul 03 '12 at 17:52

Darin Dimitrov

1,023,142
271
3,287
2,928

Thank you for your quick reply. I'm aware of the machineKey section, but do you know how it puts these pieces of information together (and more importantly decrypts this information)? IE does it do something like sha1(data + salt)? – TheFrack Jul 03 '12 at 17:55
It will simply use the algorithm you have defined in your machineKey section. By default it uses HMACSHA1. – Darin Dimitrov Jul 03 '12 at 17:57
If it is actually "HMACSHA1", that would mean it is a hash so it would be impossible to decrypt correct? That doesn't make any sense. I read it was AES encrypted, do you know what the Initialization Vector is? – TheFrack Jul 05 '12 at 16:44
It's AES. HMACSHA1 is used for signing. The Key used for AES is defined in the machineKey section as I already explained in my answer. – Darin Dimitrov Jul 05 '12 at 16:45
I'm trying to decrypt it at the moment, and I need 3 things, the encrypted data, the key (IE decryptionKey="x") and the Initialization Vector (IV). Do you know what that might be? – TheFrack Jul 05 '12 at 16:47
Look in your machine.config file. The machineKey section contains them. If it doesn't this means that they are auto-generated and you cannot use them. In this case you simply put the key you want to be used. – Darin Dimitrov Jul 05 '12 at 16:54

score 2 · Accepted Answer · answered Jul 06 '12 at 12:33

Okay so for the first question...

ASP doesn't store on the raw filesystem, but can store session data in a database if configured properly and you can specify where. From what I recall reading, this is in a database called "tempdb" or a database which may also have some sprocs in it. More info on that in more plain English here: http://www.codeproject.com/Articles/104082/Configuring-ASP-session-state-on-SQL-server

For the second and more important question:

This amazing article will give you a breakdown of how the ASPX_AUTH cookie is generated and the algorithm to do so: http://www.codeproject.com/Articles/16822/The-Anatomy-of-Forms-Authentication

ASP Session Algorithm generate cookie via PHP

2 Answers2