I thought the .ASPXAUTH was for user authentication? Can anyone confirm if this cookie is indeed a security risk and/or contains session information? Is it even suppose to be used or is it some debug thing?
Asked
Active
Viewed 5,581 times
5
-
1From question http://stackoverflow.com/questions/423467/what-is-aspxauth-cookie - .aspxauth is not session related - it identifies the user. – Neil Moss Jul 15 '10 at 16:08
1 Answers
4
I think you have run into some comments that have to do with Forms Authentication security. You can find more info here: http://visualstudiomagazine.com/articles/2010/09/14/aspnet-security-hack.aspx
What it boils down to is that a clever hacker can discover the machine key used to encrypt the cookeis and create their own forged auth cookies.
bleepzter
- 9,607
- 11
- 41
- 64
-
1It's probably worth mentioning here that fully patched-up servers no longer exhibit this vulnerability: http://technet.microsoft.com/en-us/security/bulletin/MS10-070 – Tao Sep 03 '11 at 10:57
-
Actually they couldn't discover the machine key per se. They used the server`s error messages to use the server as a padding oracle. Using the oracle and brute-force they could encrypt any string, one bit at a time. By constructing an encrypted request for the `web.config`. By default this doesn't contain the machinekey; by default it is generated per app in process, unless you generate and configure a key yourself. Leaking `web.config` is still a Bad Thing™, though. – Chris Wesseling Jun 27 '12 at 13:45