Re: forms authentication question
- From: "Eric" <Eric@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 23 Jan 2006 10:02:03 -0800
I looked at RenewTicketIfOld method, but it only updates the ticket if the
user has passed the timeout/2 value. I guess that's the reason Microsoft
decided to just update the cookie once in a while, instead of every time --
if user has "warn cookies" option turned on, they would get the pop up box
every time the forms cookie is updated. That's why I was thinking I can
update the cookie once I determine that the forms authentication cookie is
expired, but the "true" session key has not expired. Of course, if someone
steals the forms cookie, they'll be able to send requests and keep both
ticket and session key alive, but I'll make sure the forms cookie is only
given for SSL traffic and the whole site will also use SSL.
"Dominick Baier [DevelopMentor]" wrote:
> Hi,
>
> sorry - calling Renew on every request does not make sense. Have read the
> docs now :))
>
> But you could manually renew the ticket if you want to - i just wouldn't
> go through the hassle of the session key - and keeping them in sync manually.
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Hi,
> >
> > ok - you made two points
> >
> > a) avoiding expiration
> >
> > why don't you just call RenewTicketIfOld on every request?
> >
> > b) stealing the cookie
> >
> > if the cookie is expired - it is expired. If someone can steal the
> > cookie (including your session key) - he can keep the ticket alive by
> > regurlarly posting back to the web site. I don't see a security gain
> > here.
> >
> > ---------------------------------------
> > Dominick Baier - DevelopMentor
> > http://www.leastprivilege.com
> >> I have 20 minute timeout on the session key. Every time a request is
> >> made to the database, the expiration time is updated. I can increase
> >> the timeout on the forms authentication cookie, but I really would
> >> like to keep both the session key and the forms authentication cookie
> >> close to each other if possible. If I set the forms authentication
> >> cookie timeout to 40 minutes and I have a page where the code is not
> >> hitting the database, then the user will be valid for 40 minutes,
> >> instead of 20. But if I set the forms authentication timeout to 20
> >> and then validate the session key (stored in the forms cookie as
> >> user's data) against the database, then the timeouts will be in sync.
> >> I just don't know what solution is better: increase forms timeout or
> >> keep the same timeout for both session key and forms cookie
> >> validate/extend the session key on every request.
> >>
> >> "Dominick Baier [DevelopMentor]" wrote:
> >>
> >>> Hi,
> >>>
> >>> so does your session key also have an expiration time? why don't you
> >>> just set a longer timeout on the forms ticket?
> >>>
> >>> ---------------------------------------
> >>> Dominick Baier - DevelopMentor
> >>> http://www.leastprivilege.com
> >>>> Thank you for a reply. Yes, the forms authentication cookie has a
> >>>> sliding timeout or absolute timeout, but my problem is that the
> >>>> sliding expiration does not get updated all the time. So, if I set
> >>>> the sliding expiration to 20 minutes, the cookie will be updated
> >>>> after 10 minutes, and if the user did something in the first 10
> >>>> minutes, but then didn't do anything for the next 15 minutes, forms
> >>>> authentication cookie will be timed-out. That's what I'm trying to
> >>>> avoid. Storing custom session key in the cookie gives me an ability
> >>>> to renew the cookie as long as the session key has not expired. I
> >>>> will also be using in-memory cookie and SSL, so that it will be
> >>>> difficult to steal forms authentication cookie, but if it's stolen,
> >>>> there would be another level of server-side checks that would have
> >>>> to be passed.
> >>>>
> >>>> "Dominick Baier [DevelopMentor]" wrote:
> >>>>
> >>>>> Hi,
> >>>>>
> >>>>> i don't really see what you are trying to do -
> >>>>>
> >>>>> the forms auth auth ticket has a timeout - and 2 renewal modes:
> >>>>> sliding and non sliding
> >>>>>
> >>>>> in non sliding the timeout is absolute - and users have to reauth
> >>>>> after this
> >>>>> timeout
> >>>>> in sliding the ticket gets renewed for the time specified in
> >>>>> timeout
> >>>>> after
> >>>>> timeout/2
> >>>>> as long as you don't persist cookies and use SSL - i don't see a
> >>>>> problem here..?
> >>>>> However, if you store additional data in the cookie - like roles -
> >>>>> you should have a manual expiration mechanism to update roles
> >>>>> after
> >>>>> a certain amount of time. This also gives you the chance to check
> >>>>> if the user is still valid/roles have changed.
> >>>>> ---------------------------------------
> >>>>> Dominick Baier - DevelopMentor
> >>>>> http://www.leastprivilege.com
> >>>>>> I want to use forms authentication, but since the forms
> >>>>>> authentication cookie is not updated all the time, I want to use
> >>>>>> server-side to check for validation user's login
> >>>>>> status/information. If I create an unique session key and store
> >>>>>> it in the forms authentication cookie as custom data, can I check
> >>>>>> on every Application_BeginRequest() if the cookie is expired, and
> >>>>>> if the cookie is expired but the session key is valid (validated
> >>>>>> against the database), call FormsAuthentication.RenewTicketIfOld
> >>>>>> and re-set the forms authentication cookie?
> >>>>>>
> >>>>>> It looks like this would be a good check for making sure that if
> >>>>>> someone steals the forms authentication cookie and somehow
> >>>>>> decrypts it, they still wouldn't be able to login because of a
> >>>>>> server-side check? Or maybe this is not necessary, creates
> >>>>>> overhead, and not secure at all? I just want some opinions.
> >>>>>>
> >>>>>> Thanks in advance,
> >>>>>> Eric
>
>
>
.
- References:
- forms authentication question
- From: Eric
- Re: forms authentication question
- From: Dominick Baier [DevelopMentor]
- Re: forms authentication question
- From: Dominick Baier [DevelopMentor]
- Re: forms authentication question
- From: Eric
- Re: forms authentication question
- From: Dominick Baier [DevelopMentor]
- Re: forms authentication question
- From: Dominick Baier [DevelopMentor]
- forms authentication question
- Prev by Date: Re: forms authentication question
- Next by Date: Re: impersonation / delegation question
- Previous by thread: Re: forms authentication question
- Next by thread: Importing Existing Users into New ASP.NET Membership Table
- Index(es):
Relevant Pages
|
