Prevent Authentication Disasters

Persistent authentication cookies can last for years, opening a huge window for replay attacks.

asp:HotTip

LANGUAGES: C#

TECHNOLOGIES: Forms Authentication

 

Prevent Authentication Disasters

Persistent authentication cookies can last for years, opening a huge window for replay attacks.

 

By Jeff Prosise

 

ASP.NET's forms authentication module simplifies the development of Web applications that use forms logins to secure resources. But used unmodified, forms authentication is an accident waiting to happen. Consider the following statements, typical of those found in forms authentication examples, which authenticate a user; send them to the page they requested before ASP.NET redirected them to the login page; and issue a persistent authentication cookie that prevents them from having to log in again and again:

 

if (AuthenticateUser (name, password))

    FormsAuthentication.RedirectFromLoginPage (name, true);

 

Unfortunately, a persistent authentication cookie issued by FormsAuthentication.RedirectFromLoginPage remains valid for - get this - 50 years! To shorten the cookie's lifetime and reduce the window of opportunity for replay attacks, issue the cookie this way instead:

 

if (AuthenticateUser (name, password)) {

    string url = FormsAuthentication.GetRedirectUrl (name, true);

    FormsAuthentication.SetAuthCookie (name, true);

    HttpCookie cookie =

         Response.Cookies[FormsAuthentication.FormsCookieName];

    // Set the cookie to expire 7 days from now

    cookie.Expires = DateTime.Now + new TimeSpan (7, 0, 0, 0);

    Response.Redirect (url);

}

 

This modified approach adds the authentication cookie to the HTTP response and sets its expiration date to seven days hence, then manually redirects to the page the user requested originally. The resulting authentication cookie is good for seven days instead of 50 years - a measure your IT staff surely will appreciate!

 

Jeff Prosise is the author of several programming books, including Programming Microsoft .NET(Microsoft Press). He also is a co-founder of Wintellect (http://www.wintellect.com), a software consulting and education firm that specializes in .NET.

 

 

 

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish