Re: Question about cookie protection and FormsAuthentication.Encry



You are right :)

But there is a 4th purpose:

The FormsAuthenticationModule has to read the cookie on every request - the protection setting tells the module if the cookie is ought to be encrypted and signed.


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Sorry.. I was a little unclear in my follow-up.. I'm trying to figure
out what the correlation between protection="all" in the web.config,
FormsAuthentication.Encrypt, and actually having the cookie be
protected is.

But, based upon your responses, I think I am putting it together.. it
just took a while to sink in. Is the following statement correct?:

The built-in .NET SetAuthCookie/GetAuthCookie/RedirectFromLogin reads
the protection="all" tag from the web.config to determine whether or
not to call FormsAuthentication.Encrypt to protect the cookie.
However, if I manually create the cookie, then specifying
protection="All" doesn't actually do anything for me, since its sole
purpose was to tell those 3 functions above whether to encrypt or not.

Is that right? Thanks again for all the responses!

"Dominick Baier" wrote:

If you don't enforce encryption and validation - everybody can create
a ticket and use it to logon to your application - thats the
implication ;)

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

Just to make sure I am clear on this... are you saying if I manually
created the authentication ticket and I don't call
FormsAuthentication.Encrypt on the ticket then the cookie will NOT
be encrypted and tamper-proof? What are the security implications of
not having called FormsAuthentication.Encrypt when I manually create
the ticket? Thanks again for the information!

"Dominick Baier" wrote:

You only need to call Encrypt if you are manually creating the
FormsAuthenticationTicket and adding it to the cookies collection.

If you are using FormsAuthentication.SetAuthCookie or
RedirectFromLoginPage this is done automatically for you (according
to config settings).

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
I'm a little unclear on when exactly I would need to use
FormsAuthentication.Encrypt. If I have the cookie protection in
the web.config set to All (i.e. <forms loginUrl="login.aspx"
protection="All">), shouldn't my cookie already be encrypted and
tamper-proof even if I don't encrypt the authentication ticket
using FormsAuthentication.Encrypt? What do I gain by also using
FormsAuthentication.Encrypt in addition to the the web.config
setting? Or is this more of a double-check than anything else?



.