Authorization security of ASP.NET Forms authentication


Authorization security of ASP.NET Forms authentication



I'm using Forms authentication in ASP.NET MVC website and I store user account login name in AuthCookie like this:

FormsAuthentication.SetAuthCookie(account.Login, false); 

I want to ask if there is a possibility that user on client side will somehow manage to change his login name in AuthCookie and thus he will be for example impersonated as someone with higher privileges and authorized to do more actions than he is normally supposed to have. Also is it better to save in this cookie user account login name or user account ID number?


How to hide a content place holder in a .aspx page?

1:

Opinions on commercial MVC controls
Cookies are encrypted so chances for this a quite slim. ASP.net/MVC file upload with URL rewrite enabledBut still.. Empty asp.net Resources Cache, provided by SQLResourceProvider

More than one property approach

If you'd like to make your security even tighter you could save username as well as user ID or any another data this can't be guessed from the username. Sending data to server (ASP.NET MVC) with Ajax(jQuery) through JSONThe combination of these makes it safer for the reason this if you must guess one it harder to guess others and use the correct combination of them. How to get the Url for urlAction helper class?Ie. calling a jquery function from asp.net mvc actionIf you guess another user's email/username it's a bit harder to guess the same user's ID, for the reason this they're not related. How to register javascript in ASP.NET MVC action?So the more unrelated properties you combine the more steps it takes to receive the right combination..

Logon security token approach

You could use an alternative approach described in this scenario:.
  1. User logs in.
  2. Generate a random security logon token this must be of random length with any minimum length defined and save it against user in the data store. This is probably not a problem while it's quite common this another data is stored at logons as well like LastLogonDate info.
  3. Use this token and save it in the cookie instead of usernames or another info.
  4. If user logs-out, clear logon security token from the data store
  5. User logs in again... go back to 1 and create a new token again and use it in this session.
This way it will make it safer on the long run, for the reason this this information will change on each login and if user does manually logout you must always clear this token from the store, so it won't at all be possible to inject any one else's identity. This does make it a although more complicated to use permanent cookies though although it must still be done.. This approach is not bullet proof although it provides additional security level this prevents the same attack over and over again when one account has been compromised. And also when one account is compromised it doesn't mean this others must be as well. If your security tokens are long enough it would be enough harder to start a brute force attack on your site and while this kind of attack would be executed security tokens will change so it is definitely safer..

2:

The cookie will be encrypted and decrypted on the server side, so unless the user must crack the encryption key, he or she won't be able to did this.. As long as the information you store uniquely identifies your user, the choice as to what this information is is entirely down to the requirements of the particular application..

3:

No it is not possible (well, in theory maybe although it's not feasible in practice). The value of the authentication cookie is encrypted so the user must not tamper with it. It is a good idea to store the (unique) login name in the authentication cookie, for the reason this when the IIdentity object (HttpContext.Current.User) is restored, the value this you passed to SetAuthCookie is used for the Name property of the IIdentity. The Name property will be shown if you use the LoginStatusControl, for example, so it's a good idea this the value of the Name property makes sense to the user..


53 out of 100 based on 48 user ratings 763 reviews

*