Re: authentication cookie vs session cookie

From: Joseph (joseph_at_bluefield.com.hk)
Date: 08/11/03 

Date: Mon, 11 Aug 2003 17:14:56 +0800

The reason I raised this question is that I am worried about the security
level of using authentication cookies on the client machines. If the
authentication cookie on a manager's machine is stolen and used on a client
machine with lower privilege (e.g. operator's machine) on the same intranet,
will the operator be able to access the privileges granted to the manager? I
am assuming all the user roles information are stored in the authentication
cookie.

Thanks.
Joseph

"Yan-Hong Huang[MSFT]" <yhhuang@online.microsoft.com> wrote in message
news:2VKAdj9XDHA.1544@cpmsftngxa06.phx.gbl...
> Hello Joseph,
>
> Thanks for posting here.
>
> Indeed. Forms authentication is a flexible, scalable and secure system for
> doing 'cookie' authentication (effectively what you are doing when you use
> session variables as it relies on the session cookie that ASP.NET sends to
> the client). A big advantage is that it allows you to persist information
> by storing it in an encrypted authentication cookie - this is much better
> in terms of scalability than using a session variable for each user (you
> can use it across a webfarm without significant changes).
>
> Another big advantage of using Forms authentication is that it slots into
> the rest of the ASP.NET Security framework. This means that code for
> authentication and authorization works together is a logical way and new
> code can be slotted in really easily.
>
> In general, Session Cookie and Forms Auth cookie are independant and you
> have to find the logic to achieve what you want.
> Rather than trying to sync. these 2 timeouts, try logging out the user if
> the session times out.
>
> 1. You can handle one of the events after the sessionState is hooked up
and
> check to see if the session is new and if the user is authenticated. If
so,
> call the logout method and redirect to loging page.
> 2. Another way is to set a session variable and check on every page to see
> if the session variable exists and also the user is authenticated. If not,
> redirect the user to the login page by calling the LogOut method.
>
> Please post here if you have any more concerns.
>
> Best regards,
> Yanhong Huang
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> --------------------
> !From: "Joseph" <joseph@bluefield.com.hk>
> !Subject: authentication cookie vs session cookie
> !Date: Fri, 8 Aug 2003 15:52:50 +0800
> !Lines: 17
> !X-Priority: 3
> !X-MSMail-Priority: Normal
> !X-Newsreader: Microsoft Outlook Express 6.00.2720.3000
> !X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300
> !Message-ID: <eCgSSIYXDHA.384@TK2MSFTNGP12.phx.gbl>
> !Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> !NNTP-Posting-Host: 210.176.53.73
> !Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
> !Xref: cpmsftngxa06.phx.gbl
> microsoft.public.dotnet.framework.aspnet.security:6178
> !X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> !
> !Hi,
> !
> !What are the differences between authentication and session cookies? In
my
> !web.config file, I set the cookieless attribute for the sessionState
> element
> !to false. Why do we need 2 different types of cookies? Is the session
> !cookie enough for authentication purpose?
> !
> !I do feel uncomfortable to maintain 2 different timeouts (form
> !authentication cookie and session) in the web.config file. Is it possible
> to
> !keep both in sync (i.e. make authentication cookie expires at the same
time
> !the session expires)?
> !
> !Thanks.
> !
> !Joseph
> !
> !
> !
>

Relevant Pages

  • Re: [PHP] Re: a question on session ID and security
    ... hash key" to the client when it doesn't need it? ... But by doing that you're exposing how your app validates the authentication key, leaving it open to being transferred to another machine. ... tutorial on PHP session security is helpful. ...
    (php.general)
  • Re: [PHP] Re: a question on session ID and security
    ... constructed to produce the actual authentication token. ... looking at the cookies on the client gets no indication that you're ... testing for remote session hijacking weaknesses. ... blinded by a bright shiny new algorithm. ...
    (php.general)
  • RE: authentication cookie vs session cookie
    ... doing 'cookie' authentication (effectively what you are doing when you use ... session variables as it relies on the session cookie that ASP.NET sends to ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Why IAS get stuck on authenticating PEAP (MS-CHAP2) clients
    ... processed the request and sent message for which it expects response. ... could be that packet some how did not reach the client or client decided to ... > We are trying to implement PEAP security authentication using ... > session has ...
    (microsoft.public.internet.radius)
  • Re: Framework bug with Auth and Session state?
    ... So as long the browser stays open, ... cookie remains, ... the authentication never times out. ... Session info is stored on the server, using the session cookie only as an ...
    (microsoft.public.dotnet.framework.aspnet.security)