var currentDateTime = new Date();
Wednesday, March 7, 2012
ASP.NET authentication cookies and their security
http://www.campusmvp.net/web-security-asp-net-authentication-cookies-and-their-security/
What is stored in a cookie?
This cookie contains the Forms authentication ticket. This ticket, represented by the FormsAuthenticationTicket class, contains the following data/members:
- Version: the version of ticket’s format.
- Name: current user’s name, unique for the whole system and main key to restore the authenticated session. In addition, it’s used for binding with other ASP.NET APIs such as Roles or Profile.
- Expiration: when the ticket (and the cookie) expires.
- IssueDate: date in which it was generated.
- IsPersistent: if the cookie will be saved on the hard disk.
- UserData: extra data about the user. Usually this is an empty string since it’s written from the Membership provider and the default implementations do not write anything here.
- CookiePath: relative path from where the cookie is stored. Default is “/”.
This information is serialized and encrypted by setting a cookie that is stored on the client side. There is a private method in the FormsAuthentication class named MakeTicketIntoBinaryBlob which is in charge of serializing the information. This is called from another private method, Encrypt, which is in charge of the encryption.
How is a cookie encrypted?
We can set some properties to handle this kind of authentication from the cookies configuration in the<forms> node in the web.config. One of these properties is protection. It can take the following values:
- Encryption: with this value the ticket is encrypted before being saved in the cookie.
- Validation: requires cookies validation.
- All: It’s the default value and also the recommended one. Requires both validation and encryption of the cookie that contains the authentication ticket.
- None: does not validate or encrypt the cookie. It’s not recommended to use this value since there is no protection for cookies. Performance is improved because it steers clear of additional cryptology processes.
Encryption is performed using specific information in the section <machineKey> in web.config. From .NET 2.0 and later the AES algorithm is used (Advanced Encryption Standard also known as Rijndael, the standard for best balance between security and speed in symmetric encryption), but other less secure algorithms, such as DES and 3DES, are supported.
Subscribe to:
Posts (Atom)