Article ID: 900111 - View products that this article applies to.
Beta InformationThis article discusses a Beta release of a Microsoft product. The information in this article is provided as-is and is subject to change without notice.
No formal product support is available from Microsoft for this Beta product. For information about how to obtain support for a Beta release, see the documentation that is included with the Beta product files, or check the Web location where you downloaded the release.
This article describes limitations of the FormsAuthentication.SignOut method, and provides more information about how to ease cookie reply attacks when a forms authentication cookie may have been obtained by an malicious user. This article introduces the following methods that you can use to help reduce cookie replay attacks in Microsoft ASP.NET applications:
This article describes an issue that may occur if a forms authentication cookie is obtained by a malicious user. In this scenario, the cookie may be used to authenticate to a Forms authentication ASP.NET application after the FormsAuthentication.SignOut method has been called. A malicious user would have no way to obtain the forms authentication cookie of another user unless the system of that user has been compromised.
The FormsAuthentication.SignOut method removes the forms authentication cookie from the client computer. However, the FormsAuthentication.SignOut method does not store any persistent representation on the server of the user signing out. Therefore, if the forms authentication cookie is not appropriately protected and the cookie is maliciously obtained by a third party, that cookie can be used to authenticate to the server after the FormsAuthentication.SignOut method has been called. This behavior can occur until the expiration of the forms authentication ticket that is contained in the cookie.
Note Although a cookie also has expiration, forms authentication always uses the expiration time that is contained inside the forms authentication ticket when forms authentication determines whether the ticket is considered expired.
To help reduce the chances of such an attack, help enhance the protection of the forms authentication cookie by using Secure Sockets Layer (SSL). You should also use absolute expiration instead of a sliding expiration. Absolute expiration restricts the Time to Live (TTL) for the forms authentication ticket.
ASP.NET 2.0 also adds functionality that you can use to help reduce replay attacks by using the forms authentication cookie. You can use the Membership class in ASP.NET 2.0 to promote a more secure solution to sign out forms authentication users.
Help protect the application by using SSLBy configuring the Web application in Microsoft Internet Information Services (IIS) so that SSL is required, all information that is passed between the client and the Web browser will be encrypted. When you use this method, the requireSSL attribute of the <forms> element should also be set to true. When this attribute is true, a compliant browser will not send the cookie unless the connection is being sent through SSL, and the forms authentication feature will never issue a cookie over a non-SSL connection.
In cases where a site has some pages that are under SSL and other pages that are not under SSL, the requireSSL attribute is designed to make sure that the browser does not send the forms authentication cookie when non-SSL pages are requested. However, the user agent has the responsibility to enforce the rule that the browser does not send the forms authentication cookie when non-SSL pages are requested. Therefore, if you configure the whole application to require SSL, you help enhance security.
For more information about how to configure an application for SSL, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/299875/ )How to implement SSL on a Windows 2000 IIS 5.0 computer
Enforce TTL and absolute expirationBy using a short TTL that can be configured through the timeout attribute of the <forms> element, you can help reduce the risk of a cookie replay attack. You also must notice that the slidingExpiration attribute should be set to false. By default, the setting in ASP.NET 2.0 is true.
Use HttpOnly cookies and forms authentication in ASP.NET 2.0In ASP.NET 2.0, forms authentication cookies are HttpOnly cookies. HttpOnly cookies cannot be accessed by using a client script. However, the HttpOnly property is only available in Microsoft Internet Explorer 6 Service Pack 1 (SP1). Previous user agents will ignore the property.
For more information about HttpOnly cookies, visit the following Microsoft Developer Network (MSDN) Web site:
Use the Membership class in ASP.NET 2.0When you implement forms authentication in ASP.NET 2.0, you have the option of storing user information in a Membership provider. This option is a new feature that is introduced in ASP.NET 2.0. The MembershipUser object contains specific users.
If the user is logged in, you can store this information in the Comment property of the MembershipUser object. If you use this property, you can develop a mechanism to reduce cookie replay issues in ASP.NET 2.0. This mechanism would follow these steps:
For more information about how to help protect forms authentication cookies by using SSL, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/813829/ )Help secure forms authentication by using Secure Sockets Layer (SSL)
Article ID: 900111 - Last Review: May 24, 2007 - Revision: 4.3