Security Expoit (FormsAuthentication.SignOut()) Does not Work

From: Ali (elhamdiali_at_hotmail.com)
Date: 01/28/04

Next message: Isaias Formacio Serna: "Web Service that calls an external Web Service"

Previous message: Steve: "Re: Network Credentials not passing in Authentication mode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 28 Jan 2004 14:38:44 -0600

Our security people have been able to copy and use the FormsAuthentication
cookie. Our Authetication cookie is based on an encrypted ticket and we use
FormsAuthentication.SignOut() when users loggout or kill their session, but
apparently the secure ticket does not get removed from the server by
FormsAuthetication.SignOut().

We have been able to time-out the ticket on the server, but we need to be
able to remove the ticket at any time.

This is our logout procedure:

FormsAuthetication.SignOut()
Session.Abandon()
Response.Redirect("Autheticate.aspx")

Thanks

Ali

Next message: Isaias Formacio Serna: "Web Service that calls an external Web Service"

Previous message: Steve: "Re: Network Credentials not passing in Authentication mode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Kerberos error event ID:4
... This event will occur if you present a service ticket to a principal ... which cannot be decrypted by the target. ... password as a seed for the resulting encryption used on the service ... If the server can decrypt the ticket, ...
(microsoft.public.windows.server.general)
Rant: Customers who know best then decide you were right
... web-hosting/email/whatever the customer wants a server for. ... brute force attacks coming from one of our IPs. ... traffic did indeed exist and opened an abuse ticket with a customer. ... for the spam and update the existing ticket. ...
(alt.sysadmin.recovery)
RE: Kerberos error event ID:4
... This event will occur if you present a service ticket to a principal ... which cannot be decrypted by the target. ... password as a seed for the resulting encryption used on the service ticket. ... If the server can decrypt the ticket, ...
(microsoft.public.windows.server.general)
Re: Kerberised NFS
... Kerberised NFS presumably requires authentication and encryption between client and server, so presumably the client needs to get a ticket prior to contacting the server. ... server with kerberos security options, and successfully automounting user's home directories on client machines when they log in. ...
(comp.protocols.kerberos)
ticket steal possibility
... The Network Description: ... Server one has a host ticket host/server1.example.net@xxxxxxxxxxx ... Client one has a client ticket client1/support@xxxxxxxxxxx ... On server one in krb5.conf I have a record: ...
(comp.protocols.kerberos)