Re: Question about cookie protection and FormsAuthentication.Encry

---

• From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Thu, 22 Feb 2007 17:24:20 +0000 (UTC)

---

If you don't enforce encryption and validation - everybody can create a ticket and use it to logon to your application - thats the implication ;)

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Just to make sure I am clear on this... are you saying if I manually
created the authentication ticket and I don't call
FormsAuthentication.Encrypt on the ticket then the cookie will NOT be
encrypted and tamper-proof? What are the security implications of not
having called FormsAuthentication.Encrypt when I manually create the
ticket? Thanks again for the information!

"Dominick Baier" wrote:

You only need to call Encrypt if you are manually creating the
FormsAuthenticationTicket and adding it to the cookies collection.

If you are using FormsAuthentication.SetAuthCookie or
RedirectFromLoginPage this is done automatically for you (according
to config settings).

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

I'm a little unclear on when exactly I would need to use
FormsAuthentication.Encrypt. If I have the cookie protection in the
web.config set to All (i.e. <forms loginUrl="login.aspx"
protection="All">), shouldn't my cookie already be encrypted and
tamper-proof even if I don't encrypt the authentication ticket using
FormsAuthentication.Encrypt? What do I gain by also using
FormsAuthentication.Encrypt in addition to the the web.config
setting? Or is this more of a double-check than anything else?

.

---

• Prev by Date: Re: Create a role and check it
• Next by Date: Re: 2 membership databases
• Previous by thread: Re: Question about cookie protection and FormsAuthentication.Encrypt
• Next by thread: Re: Question about cookie protection and FormsAuthentication.Encry
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: How to setup trust between 2003 SP1/R2 and MIT 1.4.3 ? ... It works when I change the encryption types in krb5.conf to only ... to opensuse.suse.home (no port 88 traffic) ... Protocol: IP ... NOT a forwarded ticket ... (comp.protocols.kerberos) Re: mod_auth_kerb: gss_accept_sec_context() failed ... The "Decrypt integrity check failed" error means that the GSS service ... encryption key, key version number or encryption type was not exactly ... the same as that used to encrypt the service ticket. ... (comp.protocols.kerberos) Re: Kerberos error event ID:4 ... This event will occur if you present a service ticket to a principal ... which cannot be decrypted by the target. ... password as a seed for the resulting encryption used on the service ... If the server can decrypt the ticket, ... (microsoft.public.windows.server.general) Re: Wrong ticket encryption for W2K clients only ... The Windows service account used for Vintela SSO is set up using "Use DES ... -crypto DES-CBC-MD5 encryption. ... But on the Windows 2000 clients the ticket is encrypted with RC4-HMAC-NT: ... KerbTicket Encryption Type: Kerberos RSADSI RC4-HMAC ... (comp.protocols.kerberos) RE: Kerberos error event ID:4 ... This event will occur if you present a service ticket to a principal ... which cannot be decrypted by the target. ... password as a seed for the resulting encryption used on the service ticket. ... If the server can decrypt the ticket, ... (microsoft.public.windows.server.general)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.dotnet.framework.aspnet.security  > 2007-02