Wrox Programmer Forums
|
ASP.NET 1.0 and 1.1 Basics ASP.NET discussion for users new to coding in ASP.NET 1.0 or 1.1. NOT for the older "classic" ASP 3 or the newer ASP.NET 2.0.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the ASP.NET 1.0 and 1.1 Basics section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old February 29th, 2004, 01:46 PM
Friend of Wrox
 
Join Date: Oct 2003
Posts: 336
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to alyeng2000
Default FormsAuthentication Class

i am using FormsAuthentication Class to authenticate users to view my webpages, but i am afraid that i read it stores it's authentication data in a cookies and i think it's not secure.

do any one have a comment

Ahmed Ali
Software Developer
__________________
Ahmed Ali
Senior Software Developer
 
Old February 29th, 2004, 02:09 PM
Imar's Avatar
Wrox Author
 
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
Default

If you implement the Forms Authentication correctly, the Cookie is encrypted before it is send to the user.

Therefore, it's a pretty safe solution....


Cheers,

Imar

---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
 
Old February 29th, 2004, 02:24 PM
Friend of Wrox
 
Join Date: Oct 2003
Posts: 336
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to alyeng2000
Default

so i am right the FormsAuthentication store it's authentication in a cookies.

i was depending on sessions for Authentication before which is secure for me but for cookie i giving a hacker now a gift:)

i am so worry now
which way to choose


Ahmed Ali
Software Developer
 
Old February 29th, 2004, 02:57 PM
planoie's Avatar
Friend of Wrox
 
Join Date: Aug 2003
Posts: 5,407
Thanks: 0
Thanked 16 Times in 16 Posts
Default

Quote:
quote:Originally posted by alyeng2000
i was depending on sessions for Authentication before which is secure for me but for cookie i giving a hacker now a gift:)
How is the session stored? In memory on the server.
How is the user's session identified to the server? A cookie.
If you can sniff out a user's session cookie, you could potentially spoof the session, thus making it not very secure.

Unless you use some method of encryption, no one way will be any better than another because in the end they all need to use some kind of cookie to identify the user. As Imar suggested, proper implementation of forms authentication uses an encrypted cookie.

Now, I would assume that if you can sniff out that encrypted cookie, you might not be able to see what the encrypted data contains, but you could potentially still spoof a session. That's about as safe as you're going to get with a web application.

Peter
------------------------------------------------------
Work smarter, not harder.
 
Old February 29th, 2004, 03:00 PM
Imar's Avatar
Wrox Author
 
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
Default

Well, choose whatever makes the most sense to you. After all, Session *do* use cookies as well. So, theoretically, a hacker could capture any communication between the client and the server, and then perform a replay attack with the cookie for the session, getting access to the values in the Session object at the server.

This isn't your day-to-day hack, and you need quite some skills and access to the correct network / servers, so most sites are not really vulnerable to this attack. AFAIK, both FormsAuthentication and Sessions are vulnerable to this situation.
If you want a real secure solution, protect the communication between the client and the server using SSL / TLS.

Cheers,

Imar


---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
 
Old February 29th, 2004, 06:58 PM
Friend of Wrox
 
Join Date: Oct 2003
Posts: 336
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to alyeng2000
Default

thx both Imar,Peter

whenever i read about session and cookie , a cookie is used whenever security issue is not taken into consideration , so i based my last words upon that,

secondly i am not talking about sniffing, i was expecting that one user who use actually the program could modify his privileges which could be stord in cookie or even modify cookies stored to be informed to the server that he is logged, so i was worry about storing in cookies.


 
Quote:
quote:How is the session stored? In memory on the server.
Quote:
How is the user's session identified to the server? A cookie.
Peter, i thought that even as you say session is identified to the server using cookies but data stored on the server.

thx for all of you.. waiting for comments

Ahmed Ali
Software Developer
 
Old March 1st, 2004, 04:06 AM
Imar's Avatar
Wrox Author
 
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
Default

Well, you're right. By storing the information in a Session, that is identified by a cookie at the client, you eliminate the user's possibility to directly change the information in the Session. So, if you keep a list with roles, or something like Session("UserRights") = "Member", you're better of with Sessions than with just cookies.

Using cookies would allow the user to change the value of the cookies directly, so instead of Member they could change themselves to an Admin.

When you're using FormAuthentication, you effectively store a ticket as a cookie on the client. This ticket can contain user data (a UniqueID, Roles, whatever) and is usually encrypted before it is sent to the client, to prevent alterations.

But if you want, you can still use Sessions for sensitive data. Just use FormsAuthentication to enable Login / Logout. Inside you app, store Roles information or other secret data in the Session object.

And again, if you want to be really safe, combine this with TLS. This adds an extra layer of security because it makes it impossible for others to perform a replay attack and spoof a Session.

Cheers,

Imar

---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
 
Old March 3rd, 2004, 02:19 AM
Friend of Wrox
 
Join Date: Jun 2003
Posts: 996
Thanks: 2
Thanked 11 Times in 11 Posts
Send a message via Yahoo to melvik
Default

let me to give u a sample for that:)
Code:
FormsAuthentication.SetAuthCookie(CommLogin.Parameters["@UserID"].Value.ToString(), false);
Session.Add("UserAcc", CommAccList.Parameters["@Access"].Value.ToString() );
Session.Timeout = 30;
Response.Redirect(Request.QueryString.Get("ReturnUrl"));
Always:),
Hovik Melkomian.





Similar Threads
Thread Thread Starter Forum Replies Last Post
FormsAuthentication swifty_programmer ASP.NET 2.0 Basics 0 August 24th, 2007 05:53 AM
FormsAuthentication whfang ASP.NET 1.x and 2.0 Application Design 1 January 16th, 2007 05:42 PM
FormsAuthentication Class g2000 ASP.NET 2.0 Basics 2 November 24th, 2005 01:43 AM
FormsAuthentication not declared! Renu ASP.NET 1.0 and 1.1 Basics 2 October 6th, 2004 10:29 AM
FormsAuthentication.RedirectFromLoginPage shaileshmark General .NET 5 August 19th, 2004 05:17 PM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.