3

I have an ASP.NET web application using forms membership authentication. We have recently been penetration tested and an issue that was flagged was the ability to steal a users account. If the .ASPXAUTH cookie value was copied from a user before logging out a user could log in as a different user, edit their cookie to match the copied value and get all of their privileged.

On logging out I have tried:

Removing the cookie. I could successfully do this but it doesn't invalidate the FormsAuthenticationTicket.

Using FormsAuthentication.SignOut() but found it does not prevent the attack

I personally dont see this as a problem, I believe the only way it could be stolen is if a use manages to gain access to an authenticated user this said I need to fix this problem to appease the penetration testers.

Any ideas would be greatly appreciated! Thanks

Rahul
  • 5,603
  • 6
  • 34
  • 57
Westy10101
  • 861
  • 2
  • 12
  • 25
  • Well, there are a bunch of things you can do: use SSL and disable sliding expiration or, better, just don't make them persistant. Take a look here on [MSDN](http://msdn.microsoft.com/en-us/library/ms998310.aspx). – Adriano Repetti May 24 '13 at 11:56

3 Answers3

2

On logging out I have tried: Removing the cookie.
I could successfully do this but it doesn't invalidate the FormsAuthenticationTicket.

Actually when you remove the cookie, you remove it from your user - you can not de-activate it, so if some one get it, he can still use it.

The solutions can be:

  • Save the status of the authentication cookie also on server.
  • Connect the status of logged user with their session.

Read more about also here: Can some hacker steal the cookie from a user and login with that name on a web site?

and Form Authentication - Cookie replay attack - protection

and http://support.microsoft.com/default.aspx?scid=kb;en-us;900111

Community
  • 1
  • 1
Aristos
  • 66,005
  • 16
  • 114
  • 150
0

I think the only real way around this is to use SSL to protect the cookies.

Even if you do something to invalidate the cookie server-side on logout, that doesn't prevent someone from replaying the cookie while the legit user is still logged in. This means any other solutions will leave you vulnerable. Maybe not for too long a time, but for some window.

Jason P
  • 26,984
  • 3
  • 31
  • 45
0

You actually can sorta invalidate a token server-side. Basically, ASP.NET provides an easy way to "invalidate tokens older than DATE-X", you just to store some date in the users database. It can be "last password change date" for example.

Check my answer here: Form Authentication - Cookie replay attack - protection

Alex from Jitbit
  • 53,710
  • 19
  • 160
  • 149