Security leak

From: Max Favilli - Dammela.it (max@dammela.it)
Date: 12/21/02


From: "Max Favilli - Dammela.it" <max@dammela.it>
Date: Fri, 20 Dec 2002 21:42:48 -0800


I manage a website, an online community with 12k registered users and 2k
daily visitors.

The login logout was performed with a cookie, not crypted; few users (at
least three) found out and started playing with them, and started reading
private messages of other people.

I now implemented form authentication with protection="all", but I kept it
parallel with the old cookie, and I am now tracking people when they appear
logged in for the old cookie but they are not for the formauthentication
one, or they appear logged as two distinct users for the two cookies.

It should allow me to identify the bad guys, and I am taking note of their
IP address too.

Now I have a three of questions.
1) Can I completly relay on formauthentication? Or is it reasonably possible
to decrypt the cookie and fool the formauthentication?
2) May I attach some other info to that cookie? In the old one I stored a
guid for the user, the nick, and also the authlevel. Can I use
GetAuthCookie() and manage that?

3) And more important, how can I find out information about the bad guys? I
have the IP address, what can I do to find information about them, just
findout the block owner and notify their ISP? I would gladly go to the
police since in Italy the privacy law is very strict, but I doubt they would
do anything with just an IP, I need to found out who they are...

Thanks for any help in advance,
Max Favilli