Ç ìÝèïäïò FormsAuthentication.SignOut äåí åìðïäßæåé ôï cookie áðüêñéóçò åðéèÝóåéò óå åöáñìïãÝò ASP.NET

Áõôü ôï Üñèñï ðåñéãñÜöåé Ýíá æÞôçìá ðïõ åíäÝ÷åôáé íá ðáñïõóéáóôåß üôáí ëáìâÜíåôáé Ýíá cookie åëÝã÷ïõ ôáõôüôçôáò öïñìþí áðü Ýíáí êáêüâïõëï ÷ñÞóôç. Óå áõôü ôï óåíÜñéï, ôï cookie ìðïñåß íá ÷ñçóéìïðïéçèåß ãéá ôïí Ýëåã÷ï ôáõôüôçôáò öïñìþí åíüò åëÝã÷ïõ ôáõôüôçôáò ôçò åöáñìïãÞò ASP.NET ìåôÜ ôçíFormsAuthentication.SignOutÝ÷åé ãßíåé êëÞóç ôçò ìåèüäïõ. ¸íáò êáêüâïõëïò ÷ñÞóôçò äåí èá Ý÷åé ôñüðï íá áðïêôÞóåôå ôï cookie åëÝã÷ïõ ôáõôüôçôáò öïñìþí áðü êÜðïéïí Üëëï ÷ñÞóôç, åêôüò áí Ý÷åé ãßíåé ãíùóôüò óôï óýóôçìá ôïõ ÷ñÞóôç.

Ãéá íáFormsAuthentication.SignOutç ìÝèïäïò êáôáñãåß ôï cookie åëÝã÷ïõ ôáõôüôçôáò öïñìþí áðü ôïí õðïëïãéóôÞ-ðåëÜôç. Ùóôüóï, ôïFormsAuthentication.SignOutìÝèïäïò äåí áðïèçêåýåé ôõ÷üí ìüíéìç áíáðáñÜóôáóç ôïõ ÷ñÞóôç õðïãñáöÞ ôï äéáêïìéóôÞ. ÅðïìÝíùò, áí ôï cookie åëÝã÷ïõ ôáõôüôçôáò öïñìþí äåí åßíáé êáôÜëëçëá ðñïóôáôåõìÝíï êáé ôï cookie ëáìâÜíåôáé ìå êáêüâïõëç ðñüèåóç áðü ôñßôï ìÝñïò, áõôü ôï cookie ìðïñåß íá ÷ñçóéìïðïéçèåß ãéá ôïí Ýëåã÷ï ôáõôüôçôáò óôï äéáêïìéóôÞ ìåôÜ ôçíFormsAuthentication.SignOutmethod has been called. This behavior can occur until the expiration of the forms authentication ticket that is contained in the cookie.

ÓÇÌÅÉÙÓÇAlthough a cookie also has expiration, forms authentication always uses the expiration time that is contained inside the forms authentication ticket when forms authentication determines whether the ticket is considered expired.

To help reduce the chances of such an attack, help enhance the protection of the forms authentication cookie by using Secure Sockets Layer (SSL). You should also use absolute expiration instead of a sliding expiration. Absolute expiration restricts the Time to Live (TTL) for the forms authentication ticket.

ASP.NET 2.0 also adds functionality that you can use to help reduce replay attacks by using the forms authentication cookie. Ìðïñåßôå íá ÷ñçóéìïðïéÞóåôå ôïMembershipclass in ASP.NET 2.0 to promote a more secure solution to sign out forms authentication users.

Help protect the application by using SSL

By configuring the Web application in Microsoft Internet Information Services (IIS) so that SSL is required, all information that is passed between the client and the Web browser will be encrypted. When you use this method, therequireSSL÷áñáêôçñéóôéêü ìå ôï<forms></forms>element should also be set toTrue. When this attribute isTrue, a compliant browser will not send the cookie unless the connection is being sent through SSL, and the forms authentication feature will never issue a cookie over a non-SSL connection.

In cases where a site has some pages that are under SSL and other pages that are not under SSL, therequireSSLattribute is designed to make sure that the browser does not send the forms authentication cookie when non-SSL pages are requested. However, the user agent has the responsibility to enforce the rule that the browser does not send the forms authentication cookie when non-SSL pages are requested. Therefore, if you configure the whole application to require SSL, you help enhance security.

For more information about how to configure an application for SSL, click the following article number to view the article in the Microsoft Knowledge Base:

Enforce TTL and absolute expiration

By using a short TTL that can be configured through thetimeout÷áñáêôçñéóôéêü ìå ôï<forms></forms>element, you can help reduce the risk of a cookie replay attack. You also must notice that theslidingExpirationattribute should be set toFALSE. By default, the setting in ASP.NET 2.0 isTrue.

Use HttpOnly cookies and forms authentication in ASP.NET 2.0

In ASP.NET 2.0, forms authentication cookies are HttpOnly cookies. HttpOnly cookies cannot be accessed by using a client script. Ùóôüóï, ôïHttpOnlyproperty is only available in Microsoft Internet Explorer 6 Service Pack 1 (SP1). Previous user agents will ignore the property.

For more information about HttpOnly cookies, visit the following Microsoft Developer Network (MSDN) Web site:

Use the Membership class in ASP.NET 2.0

When you implement forms authentication in ASP.NET 2.0, you have the option of storing user information in aMembershipprovider. This option is a new feature that is introduced in ASP.NET 2.0. Ãéá íáMembershipUserobject contains specific users.

If the user is logged in, you can store this information in theÓ÷üëéïç éäéüôçôá áðü ôïMembershipUserObject. If you use this property, you can develop a mechanism to reduce cookie replay issues in ASP.NET 2.0. This mechanism would follow these steps:

1. You create an HttpModule that hooks thePostAuthenticateRequestÓõìâÜí.
2. Óôçí ðåñßðôùóç ðïõ áðáéôåßôáéFormsIdentityobject is in theHttpContext.Userç éäéüôçôá, ôïFormsAuthenticationModuleclass recognizes the forms authentication ticket as valid. Then, thecustom HttpModuleclass obtains a reference to theMembershipUserinstance that is associated with the authenticated user.
3. You examine theÓ÷üëéïproperty to determine whether the user is currently logged in.
   
   ÓçìáíôéêüYou must store information in theÓ÷üëéïproperty that indicates when the user explicitly signed out. Also, you must clear the information that is in theÓ÷üëéïproperty when the customer eventually signs in again.

If the user is not currently logged in as indicated by theÓ÷üëéïproperty, you must take the following actions:

1. Clear the cookie.
2. Ïñéóìüò ôïõResponse.Statusproperty to 401.
3. Make a call to theResponse.Endmethod that will implicitly redirect the request to the logon page.

By using this method, the forms authentication cookie will only be accepted if the user has not been explicitly signed out and the forms authentication ticket has not yet expired.

For more information about how to help protect forms authentication cookies by using SSL, click the following article number to view the article in the Microsoft Knowledge Base: