Re: Question about cookie protection and FormsAuthentication.Encry



You are right :)

But there is a 4th purpose:

The FormsAuthenticationModule has to read the cookie on every request - the protection setting tells the module if the cookie is ought to be encrypted and signed.


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Sorry.. I was a little unclear in my follow-up.. I'm trying to figure
out what the correlation between protection="all" in the web.config,
FormsAuthentication.Encrypt, and actually having the cookie be
protected is.

But, based upon your responses, I think I am putting it together.. it
just took a while to sink in. Is the following statement correct?:

The built-in .NET SetAuthCookie/GetAuthCookie/RedirectFromLogin reads
the protection="all" tag from the web.config to determine whether or
not to call FormsAuthentication.Encrypt to protect the cookie.
However, if I manually create the cookie, then specifying
protection="All" doesn't actually do anything for me, since its sole
purpose was to tell those 3 functions above whether to encrypt or not.

Is that right? Thanks again for all the responses!

"Dominick Baier" wrote:

If you don't enforce encryption and validation - everybody can create
a ticket and use it to logon to your application - thats the
implication ;)

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

Just to make sure I am clear on this... are you saying if I manually
created the authentication ticket and I don't call
FormsAuthentication.Encrypt on the ticket then the cookie will NOT
be encrypted and tamper-proof? What are the security implications of
not having called FormsAuthentication.Encrypt when I manually create
the ticket? Thanks again for the information!

"Dominick Baier" wrote:

You only need to call Encrypt if you are manually creating the
FormsAuthenticationTicket and adding it to the cookies collection.

If you are using FormsAuthentication.SetAuthCookie or
RedirectFromLoginPage this is done automatically for you (according
to config settings).

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
I'm a little unclear on when exactly I would need to use
FormsAuthentication.Encrypt. If I have the cookie protection in
the web.config set to All (i.e. <forms loginUrl="login.aspx"
protection="All">), shouldn't my cookie already be encrypted and
tamper-proof even if I don't encrypt the authentication ticket
using FormsAuthentication.Encrypt? What do I gain by also using
FormsAuthentication.Encrypt in addition to the the web.config
setting? Or is this more of a double-check than anything else?



.



Relevant Pages

  • Re: Roles in encrypted cookie, security problem?
    ... The decryption with which you are concerned is generally not a very big ... worry (assuming you are actually encrypting as per the protection level ... cookie would be another easily configurable protective mechanism. ... Another type of protection would be to require some form of additional ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Opinion sort re user authentication ?
    ... with lengthy query strings. ... looks up their details in the database, and sets a special cookie. ... > directories that need protection. ...
    (alt.php)
  • Re: Sorry.. I was a little unclear in my follow-up..
    ... If I have the cookie protection in the ... encrypt the authentication ticket using FormsAuthentication.Encrypt? ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • FormsAuthentication Encrypt/Decrypt Problem/Issue
    ... ticket, ... // cookie as data. ... // code snippet from global.asax.cs ... Why do I not pick up all user groups? ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Perplexing and critical error - please help!
    ... The site uses Forms authentication w/ anonymous ... pass information about the current conference. ... FormsAuthenticationTicket ticket = new FormsAuthenticationTicket( ... // "true" for a durable user cookie ...
    (microsoft.public.dotnet.framework.aspnet.webcontrols)