Re: Can a user use a role from one identity on a different identity

In a web app where cookies are used as a security mechanism, if those
cookies are somehow stolen and can be reused by someone else, the thief can
generally impersonate the user. That's one of the things that makes cross
site scripting so dangerous.

This danger is common to all web apps that use cookies and is not an issue
specific to ASP.NET.

The thing to think about is the different ways that a someone might be able
to steal someone else's cookies. It could be cross site scripting or it
could be by snooping on the network traffic. You can fight both of those by
coding your app to avoid XSS attacks and using SSL to prevent snooping on
the wire.

If you are worried about one user just giving another user their cookies,
there isn't a lot you can do about that. They would probably just give the
user their password instead as that is much easier.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Jeffrey" <Jeffrey@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C6A06DC6-988D-4A0C-8B91-904952592AD1@xxxxxxxxxxxxxxxx
Thinking about my application, I am worried about an exploit that I am not
proficient enough to test. Can a user use a set of roles (fully encrypted
cookie) gained by logging in on one account and pass it to another session
with a different logon. That could make an "account administrator" of a
small
account an "account administrator" of a large account for which she may
only
be an "account user".

If this is true, it is a major flaw in asp.net. I am going to attempt to
block this exploit by storing the user id with a prefix as if it is a role
and verify that it is there. This is rather kludgy.


.

Relevant Pages

  • Re: Cookies activated but still demand to logon all the time
    ... Try logging on as the true Administrator account, ... new Admin account, ... If you still can't re-register the Shdocvw.dll then take a look at the other ... cookies from being downloaded or renewed. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: unknown added files to Administrator folder
    ... developed by Netscape to enable Web authors to design interactive sites. ... > files got into my Adminstrator folder when I had never used this ... > account up untill last night. ... > this because the last time I deleted cookies, I was not able to access ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Security discussion regarding hubs, firewalls, anti-virus and
    ... User Account Control needs advanced customization features -- I have ... allowing blocking of 3rd party cookies and session cookies ... I tried to drag it to a folder on my links so I could access it ... I looked at the folder and I appear to have full rights. ...
    (microsoft.public.security)
  • RE: XP box maintainance and lockdown
    ... It's always a good idea to rename the Administrator account. ... Router Configuration ... to obtain protocol, local port, remote port, and IP address needed to grant ... disable 3rd-party cookies and/or set cookie policy according to privacy ...
    (Security-Basics)
  • Re: Sending messages in paid hotmail account
    ... access your account at www.hotmail.com. ... > and Allow All Cookies for each domain. ... > (Hotmail servers and .NET Passport should be treated as Secure Sites) ... I cannot send my hotmail messages through Outlook ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
Quantcast