Re: Roles in encrypted cookie, security problem?

From: Per Salmi (per.salmi_at_nospam.nospam)
Date: 01/19/05 

Date: Wed, 19 Jan 2005 00:32:57 -0800

So, what are the best alternatives to using the cookies stored UserId and
Roles list?

Where is the best place to store the FormsAuthenticationTicket?

/Per

> If the user can decrypt the cookie, then he could just as easily
> modify the user name in the cookie. Since the user name would be the
> key into the user's roles collection in the case where the roles are
> not stored in the cookie, there's not much difference in risk between
> the two scenarios.
>
> That said, there's a much more compelling reason not to store in a
> cookie: a user's role membership may change within a given usage
> session. When this happens, it is usually expected that the altered
> roles would immediately be reflected in the user's permissions, and
> that will only happen if you refresh the role set frequently (ideally
> at the start of each request). Obviously, there's a potential
> performance vs security trade-off here, so there's a design decision
> to be made wrt the frequency of the role refresh. When making this
> design decision, it's important to consider not only "typical" usage
> scenarios, but examples such as the blacklisting (via inclusion in a
> blacklist role or exclusion from all roles) of a user during a session
> in which he is observed to be attempting potentially malicious
> activities.
>
> "Per Salmi" <per.salmi@nospam.nospam> wrote in message
> news:158684632416702594956464@news.microsoft.com...
>
>> Hi,
>> I was just looking over a few samples of role based security in
>> combination with forms based authentication. The samples I find seem
>> to
>> store an encrypted list of roles in a cookie like this:
>> (Code snippet taken from Code Project article by Heath Stewart)
>>
>> // Create a new ticket used for authentication
>> FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
>> 1, // Ticket version
>> Username.Value, // Username associated with ticket
>> DateTime.Now, // Date/time issued
>> DateTime.Now.AddMinutes(30), // Date/time to expire
>> true, // "true" for a persistent user cookie
>> reader.GetString(0), // User-data, in this case the roles
>> FormsAuthentication.FormsCookiePath);// Path cookie valid for
>> // Encrypt the cookie using the machine key for secure transport
>> string hash = FormsAuthentication.Encrypt(ticket);
>> HttpCookie cookie = new HttpCookie(
>> FormsAuthentication.FormsCookieName, // Name of auth cookie
>> hash); // Hashed ticket
>> // Set the cookie's expiration time to the tickets expiration time if
>> (ticket.IsPersistent) cookie.Expires = ticket.Expiration;
>>
>> // Add the cookie to the list for outgoing response
>> Response.Cookies.Add(cookie);
>>
>> Is this really av safe way to store the current users available
>> roles? I am thinking about a scenario where a user could elevate
>> his/hers privileges by brute force decryption of the cookie and then
>> create new contents for the cookie, adding a role like "Admin" which
>> probably could be valid in many sites using this technique.
>>
>> To me it would feel better if the list of the current users roles was
>> not
>> stored on the client.
>> Anyone got comments on this?
>> Best regards,
>> Per Salmi

Relevant Pages

  • Roles in encrypted cookie, security problem?
    ... with forms based authentication. ... list of roles in a cookie like this: ... (Code snippet taken from Code Project article by Heath Stewart) ... Is this really av safe way to store the current users available roles? ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Store private key in cookie?
    ... Storing a key in a file somewhere is generally not a good idea, ... this is not secure) store it in the session object. ... > I was thinking of using RSA to encrypt the Rijndael key/IV. ... > private key in a cookie on a trusted 'admin' machine. ...
    (microsoft.public.dotnet.security)
  • Re: Store private key in cookie?
    ... Storing a key in a file somewhere is generally not a good idea, ... this is not secure) store it in the session object. ... > I was thinking of using RSA to encrypt the Rijndael key/IV. ... > private key in a cookie on a trusted 'admin' machine. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: [PHP] module and access rights
    ... so you store in your cookie the username and the check string. ... for example, user is logged, so i have in the cookie his login name. ... >>> i will use those stored data to check if logged user can have access ... >> in the session - that's as secure as it's gonna get. ...
    (php.general)
  • Re: [PHP] module and access rights
    ... but i would be very glad to know how can i REALLY authenticate the user. ... for example, user is logged, so i have in the cookie his login name. ... >> regarding how to store user login and password. ... > in the session - that's as secure as it's gonna get. ...
    (php.general)
Quantcast