RE: Authentication Ticket Persistance
From: D Voss (dvoss_at_mainstreet.fiserv.net)
Date: 04/29/03
- Next message: Alek Davis: "Re: 'Illegal key size for this algorithm"
- Previous message: Lorenzo: "Re: Validate User Credentials against active directory"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 29 Apr 2003 09:33:24 -0700
Sorry for the delay in responding to your questions about this issue. I
thank you for your reply, and would like to provide you with some more
information.
You response to my original issue points out that the application on
abc.net should not be able to read the authentication cookie written by
xyz.net. I have some additional information that I thought you might
find interesting. I believe this could possibly be a security issue
with asp.net.
The inability to read cookies across domains was anticipated. Although,
I didn’t explain how I was handling this in my original post. My login
code running on login.xyz.net actually writes the authentication cookie,
then checks the domain of the ReturnURL from the calling application
(app1.abc.net). The ReturnURL domain (abc.net) is different from the
authentication URL domain (xyz.net). In the case of a different domain,
my login application would not simply redirect to the calling
application, but would do a form post back to the Return URL containing
a single hidden field named with the Authentication Cookie Name
containing the Authentication Ticket Cookie value in it. The calling
application on app1.abc.net would then check for an authentication
cookie as follows:
Try
strCookieValue = Request.Cookies _
(FormsAuthentication.FormsCookieName()).Value
Catch
‘On error there was no authentication cookie, so
'look for a form postback
strCookieValue = Request _
(FormsAuthentication.FormsCookieName())
End Try
When I traced through this code, the line of code within the Try was
always successful. Therefore, I assumed that the cookie written by the
login application was readable by the calling application. NOTE: This
was also the line of code that changed the state of the Authentication
Cookie to be persistent.
Upon receiving your response, I decided to research the issue further.
It turns out that although the line of code within the try statement was
specifically referencing Request.Cookies(…), it was actually reading the
form field posted back from the login application. Therefore, it
appears that a form field posted to an ASP.Net application with the same
name as an expected cookie could trick the application into reading the
cookie and in turn persisting that cookie.
I hope this information is valuable to you.
Dale Voss
Lead Web Developer
Fiserv, Inc.
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
- Next message: Alek Davis: "Re: 'Illegal key size for this algorithm"
- Previous message: Lorenzo: "Re: Validate User Credentials against active directory"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
