Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
617 views
in Technique[技术] by (71.8m points)

asp.net - Form Authentication - Cookie replay attack - protection

I am being asked about cookie replay attacks with my ASP.NET websites forms authentication.

I have followed the advice below to protect against any attack but think that the site is still vulnerable if somebody manages to get at the cookie (albeit only for a short time). Is there a way to completely destroy the forms authentication session on logout so that even if someone had stolen the cookie there would be no chance of using it maliciously

Advice followed was

We believe we have taken all responsible steps we can to protect against this within the confines of ASP.NET. Please see detailed response below.

However we have implemented the recommended steps from Microsoft to defend against this (see http://support.microsoft.com/default.aspx?scid=kb;en-us;900111)

· The authentication cookie is never written to a client machine making it hard to steal.

· The application is run-able via SSL so a cookie is never issued over a non secure connection

· We enforce absolute expiration with a 15 minute timeout meaning that any issues cookie is useless after that time limit

· We use httpOnly cookies so that no-one can pro grammatically intercept or alter this cookie.

So even if the above precautions were broken, which we think highly unlikely, a malicious user would only have 15 minute window to break the precautions and successfully log in

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

A simple idea is to generate a random guid and store it in the user data section of the cookie. Then, when a user logs out, you retrieve the guid from the user data and write it in a server side repository with an annotation that this "session" has ended.

Then, have an http module that checks upon every request whether or not the guid from the userdata section of your cookie doesn't point to a ended session. If yes, terminate the request with a warning that expired cookie is reused.

This comes with a cost of an additional lookup per request.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...