1

I am using form authentication inmy ASP.NET 2.0 website. Today during testing i was faced major probleM.

After authentication, i have default page createuser.aspx. From that page i am creating new user.It is working fine.

There is logout button in which i am clearing all sessions and redirecting it in login page. All was working fine.

During testing i used fiddler in which i drag and drop createuser.aspx url in request builder option of fiddler and after changing textbox value inside fiddler i click on execute. I was shocked the information is saved in database.

It means i was missing some important thing in asp.net form authentication because after logout all sesission/cookies should expire and fiddler should not work.

I hope you all understand my problem. Please help me to find out solution. I have doubt over authentication cookies. I don't know i am correct or not?

Improve this question
3
  • can u show ur logout code.... Commented Jul 9, 2009 at 14:40
  • Hi, what do you mean "I was shocked the information is saved in database" - isn't that what the Create User page is supposed to do? Do you mean that the Create User screen is only supposed to be called by an authenticated user? I assume that you can't reach this page in your browser when you're not logged in? Could you post the Request and Response headers from Fiddler? Commented Jul 9, 2009 at 15:32
  • Ben, As i know the fiddler is a proxy and every text we write and select from control are visible there. Infact we can see the password in clear text. Because we are not using SSL could be a reason for that. After logout from form when we drag createuser request to "requestbuilder" in fiddler it execute the request and also we can change the controls value ther. Now the problem is i logout from form but after that i can use fiddler and save value. Which should not happens What is your view for that? Commented Jul 10, 2009 at 7:55

3 Answers 3

Reset to default
2

See Security Tutorials on the asp.net site.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Logging out of your web app will clear your cookies, yes.

However, dragging a previous request in Fiddler and dropping it on the Request Builder will copy the authentication cookie.

This means that when you execute the request in Fiddler, you're sending the auth cookie, which is being re-vaildated, and therefore the actions in CreateUser.aspx will indeed fire, and the new user details will be stored in the database.

If in the Request Headers section of Fiddler you remove the part of the cookie starting .ASPXAUTH= up to and including the next ; and probably also the ASP.NET_SessionId value as well, you'll find it working as you expect.

If you want to ensure that this sort of behaviour isn't possible, you'll probably also want to store some sort of "Logged In This Session" flag, that you clear down on Logout as well, and check for that value in the code-behind of CreateUser (or some base class if you need this behaviour on multiple pages) before performing the insert.

Edit to respond to comments:

A couple of things will help you then:

  1. Put this area of the site under SSL - therefore it will be a lot harder for someone to intercept the traffic - but not impossible, indeed fiddler can perform a man-in-the-middle attack, and provide the client with a self generated certificate which allows it to decrypt the information.

  2. As I said above, you'll probably want to check that both the user is authenticated (from the cookie) and that some session value is set - as you're clearing down the session, this will no longer exist when the user is re-validated via the cookie.

ASP.NET should re-validate the cookie, as that's how authentication can span session timeouts and application restarts - be removing all session data the application has no way of knowing whether the request from fiddler is a session it's just killed, or one that timed out or was created before the last restart.

Further response to comments:

As Blowdart rightly points out, the Session and Authentication cookies aren't related, and the server doesn't keep a list of all the authentication cookies it has issued anywhere. Thus there is no difference to the server between a cookie that it issued within the forms authentication timeout, and one that was issued within the timeout that has since been removed - if the user recreates that cookie value, then it's a valid cookie. This Support Article has more infomation on the cookie/ticket combination:

Understanding the Forms Authentication Ticket and Cookie

Forms authentication cookie is nothing but the container for forms authentication ticket. The ticket is passed as the value of the forms authentication cookie with each request and is used by forms authentication, on the server, to identify an authenticated user.

As I've said earlier, if the authentication ticket in the cookie wasn't accepted by the server, with no other information about the user, then persistent cookies would not work, and no matter how often the user selected "Remember me next time", the server wouldn't remember them, this is why I recommend that you don't rely on just the authentication state, but also some value in the session (which wouldn't exist for the Fiddler request after logout because the server will have destroyed that information).

Improve this answer

7 Comments

Thanks sir, Actually i am scared that after logout, with the help of fiddler, the authentication cookies and sessions are revalidate at server. It means hackers can use tools to break my application by inserting garbage data. How can i modify my logout code so that after logout, server should not revalidate request from fiddler. In my logout form i am using following code Session.Abandon(); HttpContext.Current.Session.Clear(); httpcontext.current.response.cookies.remove("AUTHCOOKIE") FormsAuthentication.SignOut();
You can't. If the cookie is saved and sent back again then how is ASP.NET supposed to know it was previously cleared? The authentication cookie is not linked to a session (and even then then session cookie would also be saved and sent - although the newly recreated session would have nothing saved in session state). This really is not a vulnerability.
@Blowdart - Agree total that this is how it should work - as I said in my edit, how else will an auth cookie persist beyond app restarts etc? This is why if this is a concern for you, you should also check some session based value as well - that will not be recreated by the fiddler request.
Sir, I am clearing all the session and cookies at loagut. It means cookies at client will be clear as well as session at server will removed. Now i point which i am not able to get is that how ASP.NET application validate cookies from fidler if that cokkies/session information is deleted by server at the time of logout from application? I am very thankful to you if you explain me what i have missed?
The membership cookie is validated via a MAC signing technique. A captured cookie is valid because it's been signed correctly. Cookies do not live on the server so there is no server side clearing for them. If you send a valid session ID cookie and the session does not exist then a new, empty session is not created. None of this is a problem at all.
|
0

We need from the list of online users. Delete your user and then check it on each request If the user did not exist or the login time was more than one day, he should give an error message

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.