asp.net - FormsAuthentication: Is it secure? -

-

using formsauthentication build asp.net it's quick , easy create login system creates cookie authenticated users:

formsauthentication.setauthcookie(uniqueusername, false);

paired code in web.config file:

<authentication mode="forms">   <forms loginurl="login.aspx" timeout="30" defaulturl="dashboard.aspx" protection="all" /> </authentication> <authorization>   <deny users="?" /> </authorization>

this bounce requests login.aspx until user approved , cookie created using setauthcookie() method call.

is secure enough?
rule of thumb use don't store data on client they've not sent me. i've done in past hold username , password used in cookie, re-authentic every request.

there's overhead of re-authenticating everytime approach, means i've not storing server data on client.

my worry
concern using setauthcookie() method call, username being stored on client machine. possible break encryption being used , substitute username being stored another?

i think i'm being overly paranoid , type , level of encryption being used adequate, thought i'd expert input on topic.

so i've done in past hold username , password used in cookie, re-authentic every request.

you should not use approach. password should not stored in authentication ticket. reason being if authentication ticket compromised attacker has user's password. risk can mitigated encrypting authentication ticket cookie, presume storing cookie in plain-text.

my concern using setauthcookie() method call, username being stored on client machine. possible break encryption being used , substitute username being stored another?

as shiraz noted, cookie persisted on client machine if create persistent cookie. (one of parameters setauthcookie indicates whether or not create such cookie.

even if broke encryption scheme modify cookie supply different username they'd run problems because authentication ticket digitally signed, meaning asp.net can detect if contents of cookie have been modified. forge digital signature attacker need know salt used server, , if user can figure out implies has access web server's file system, you've got bigger problems.

another thing understand authentication ticket has expiry, puts finite lifetime on validity of ticket. if steal user's cookies, time attacker have use stolen ticket limited based on timeout value specify forms authentication system (30 minutes default).

in conclusion, official asp.net forms authentication system going more secure lone developer able implement. developers should strive use forms authentication system rather roll own solution myriad of reasons, including better security, not having reinvent wheel, adopting standard practices other developers join team don't have large learning curve speed, , on.

for more nitty gritty details on forms authentication system , how ticket secured, how various <forms> configuration settings work, , on, see: forms authentication configuration , advanced topics.


Comments

Post a Comment

Popular posts from this blog

javascript - Enclosure Memory Copies -

-
function myclass() { //lots , lots of vars , code here. this.bar = function() { //do numerous enclosed myclass vars } this.foo = function() { alert('hello'); //don't enclosed variables. } } each instance of myclass gets own copy of bar , foo, why prototyped methods use less memory. however, know more memory use of inner methods. it seems obvious me (1) below must true. agree? not distinct myclass instances have own distinct copies of bar, must have own distinct copies of myclass enclosure. (or else how bar method keep myclass variables straight on per instance basis?) now (2) question i'm after. since inner foo method doesn't use in myclass enclosure natural qustion is: javascript smart enough not keep myclass enclosure in memory use of foo? this depend entirely on implementation not language. naive implementations keep far more around others. answer true e.g. v8 (chrome's js engine) may not true spider...
Read more

php - Replacing tags in braces, even nested tags, with regex -

-
example preg_replace('/\{[a-za-z.,\(\)0-9]+\}/', 'replaced', 'lorem ipsum dolor sit {tag1({tag2()})}, consectetur adipiscing elit.'); the result: lorem ipsum dolor sit {tag1(replaced)}, consectetur adipiscing elit. question as can see "tag2" has been replaced, want replace "tag1" know how can this? (in cases might this: {tag1({tag2({tag3()})})}) , on.) btw using preg_replace_callback, easier show preg_replace here site can test code: http://www.spaweditor.com/scripts/regex/index.php you need add curly braces character set. here's pattern used: /\{[a-za-z.,\(\)\{\}0-9]+\}/ and here result: "lorem ipsum dolor sit replaced, consectetur adipiscing elit."
Read more