Re: Cookies question

From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 03/24/05 

Date: Thu, 24 Mar 2005 03:29:36 -0800

Hello Joe,

if you can close down all browser windows and with a new one bypass the login
then you _have_ to have some peristence going on. this is the only explanation
- maybe somehting with you session cookie??

check your code and inspect the http communication by using a tool like fiddler
(www.fiddlertool.com).

HTH

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Dominick,
> Thanks for the response.
> I use temp cookies because I use code like this:
> Web.Security.FormsAuthentication.RedirectFromLoginPage(UID, False)
> I think it is related to spawning a 2nd browser session from the first
> by
> using Ctrl-N.
> In this case the 2nd browser instance "inherits" the in memory cookies
> from
> the first.
> The users were using a link to an Intranet site - maybe this link had
> the same effect by spawning a 2nd instance from the first somehow.
>
> I guess what I don't understand is how they can close all browser
> instances
> and then click this link and still bypass the log in page. If the
> cookie is
> temporary and in memory, isn't it destroyed when browser is closed?
> Or is it really stored on disk somewhere until it expires? (I could
> not find
> it and a re-boot makes it disappear.)
> Thanks for any more input.
>
> "Dominick Baier [DevelopMentor]"
> <dbaier@pleasepleasenospamdevelop.com> wrote in message
> news:169758632471743413041942@news.microsoft.com...
>
>> Hello Joe,
>>
>> cookie storage depends - if it is a temporary cookie it is only store
>> in browser memory and delete when you shut down the process -
>> persistent
>>
> cookies
>
>> are stored in the user profile.
>>
>> So when do you deal with persistent and when with temporary...
>>
>> a cookie that has an expiration time in the future is persisten until
>> that point of time.
>>
>> In FormsAuthentication - when you use RedirectFromLoginPage - the
>> last
>>
> parameter
>
>> is a boolean - if true the cookie is persistent (some silly timespan
>> like 50 years in the future), if false you will end up with a temp
>> cookie.
>>
>> When you use persistent cookies, the behaviour with the 2nd browser
>> window is like you described it
>>
>> Always use temp cookies - you don't want digital ids of your webapp
>> stored on a clients machine, do you?
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> I use forms authentication for my app.
>>> After I log in successfully each request by the browser contains 2
>>> cookies.
>>> One for the SessionID and one for forms authentication which
>>> contains
>>> my
>>> ticket.
>>> Can someone please explain where these cookies are stored? I think
>>> it
>>> is in memory in the browser but am not sure.
>>> Also, some users have stated that they can do the following:
>>> 1. Start a browser, hit the site and log in.
>>> 2. Start a 2nd browser.
>>> 3. Hit the site.
>>> 4. BYPASS the log in page and go directly to the Home page.
>>> They claim they can also close all browser sessions, start a new one
>>> and still Bypass the log in page.
>>> How is this possible?
>>> Why would the 2nd browser session have the cookies noted above?
>>> I assume once the authenctication ticket expires in 30 minutes of
>>> inactivity that neither scenario would be possible. They would have
>>> to
>>> re-log in first.
>>> Thanks for any info on this.
>>>

Relevant Pages

  • Re: Attempt to de-mystify AJAX
    ... "Hyperlinks" always open a new browser window. ... key (cookie) is still there and still contains the original value. ... You can get the cookies from the HTTP_COOKIE CGI environment variable. ...
    (comp.databases.pick)
  • Re: NSA Used Cookies to Track Visitors Web Activities?
    ... Could unwittingly installing a compromised browser open the doors wide to cookie-based intrusions? ... A cookie itself is unlikely to be a virus, but if the browser code is written in C, it is very likely to have arrays that are susceptible to "buffer overrun" Sometimes a clever enough person can use such a bug to cause executable code stored in an allegedly non-executable file to replace code in your browser or operating system. ... an external intruder coming in over an Internet connection, presumably that intruder would have access to the cookies on one's machine. ...
    (comp.sys.mac.system)
  • Re: Cookies from ASP.NET app not persisting even when enabled!
    ... > I'm new to ASP.NET and have been developing a small app at work to test ... > and the authorization cookie is saved as expected on the local machine. ... any browser OTHER THAN the one on the development ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Great SWT Program
    ... Every browser I've ever ... server when requesting any URLs from that server. ... doesn't send the cookie. ... every so often nail the ones that got by adblock, ...
    (comp.lang.java.programmer)
  • RE: A technique to mitigate cookie-stealing XSS attacks
    ... Everyone interested in preventing XSS should review and understand ... remote procedure call instruction encoding where the browser or its OS ... browsers SHOULD adopt support for "client-side ... This new HTTPOnly security feature would simply stop cookie hijacking ...
    (Bugtraq)