Problem in Form authentication.

I am using form authentication inmy ASP.NET 2.0 website. Today during testing i was faced major probleM.

After authentication, i have default page createuser.aspx. From that page i am creating new user.It is working fine.

There is logout button in which i am clearing all sessions and redirecting it in login page. All was working fine.

During testing i used fiddler in which i drag and drop createuser.aspx url in request builder option of fiddler and after changing textbox value inside fiddler i click on execute. I was shocked the information is saved in database.

It means i was missing some important thing in asp.net form authentication because after logout all sesission/cookies should expire and fiddler should not work.

I hope you all understand my problem. Please help me to find out solution. I have doubt over authentication cookies. I don't know i am correct or not?

Logging out of your web app will clear your cookies, yes.

However, dragging a previous request in Fiddler and dropping it on the Request Builder will copy the authentication cookie.

This means that when you execute the request in Fiddler, you're sending the auth cookie, which is being re-vaildated, and therefore the actions in CreateUser.aspx will indeed fire, and the new user details will be stored in the database.

If in the Request Headers section of Fiddler you remove the part of the cookie starting .ASPXAUTH= up to and including the next ; and probably also the ASP.NET_SessionId value as well, you'll find it working as you expect.

If you want to ensure that this sort of behaviour isn't possible, you'll probably also want to store some sort of "Logged In This Session" flag, that you clear down on Logout as well, and check for that value in the code-behind of CreateUser (or some base class if you need this behaviour on multiple pages) before performing the insert.

Edit to respond to comments:

A couple of things will help you then:

Put this area of the site under SSL - therefore it will be a lot harder for someone to intercept the traffic - but not impossible, indeed fiddler can perform a man-in-the-middle attack, and provide the client with a self generated certificate which allows it to decrypt the information.
As I said above, you'll probably want to check that both the user is authenticated (from the cookie) and that some session value is set - as you're clearing down the session, this will no longer exist when the user is re-validated via the cookie.

ASP.NET should re-validate the cookie, as that's how authentication can span session timeouts and application restarts - be removing all session data the application has no way of knowing whether the request from fiddler is a session it's just killed, or one that timed out or was created before the last restart.

Further response to comments:

As Blowdart rightly points out, the Session and Authentication cookies aren't related, and the server doesn't keep a list of all the authentication cookies it has issued anywhere. Thus there is no difference to the server between a cookie that it issued within the forms authentication timeout, and one that was issued within the timeout that has since been removed - if the user recreates that cookie value, then it's a valid cookie. This Support Article has more infomation on the cookie/ticket combination:

Understanding the Forms Authentication Ticket and Cookie

Forms authentication cookie is nothing but the container for forms authentication ticket. The ticket is passed as the value of the forms authentication cookie with each request and is used by forms authentication, on the server, to identify an authenticated user.

As I've said earlier, if the authentication ticket in the cookie wasn't accepted by the server, with no other information about the user, then persistent cookies would not work, and no matter how often the user selected "Remember me next time", the server wouldn't remember them, this is why I recommend that you don't rely on just the authentication state, but also some value in the session (which wouldn't exist for the Fiddler request after logout because the server will have destroyed that information).

Thanks sir, Actually i am scared that after logout, with the help of fiddler, the authentication cookies and sessions are revalidate at server. It means hackers can use tools to break my application by inserting garbage data.How can i modify my logout code so that after logout, server should not revalidate request from fiddler. In my logout form i am using following codeSession.Abandon();HttpContext.Current.Session.Clear();httpcontext.current.response.cookies.remove("AUTHCOOKIE")FormsAuthentication.SignOut();

Hemant Kothiyal 2009-07-22 05:02:58

You can't. If the cookie is saved and sent back again then how is ASP.NET supposed to know it was previously cleared? The authentication cookie is not linked to a session (and even then then session cookie would also be saved and sent - although the newly recreated session would have nothing saved in session state). This really is not a vulnerability.

blowdart 2009-07-22 08:18:37

@Blowdart - Agree total that this is how it should work - as I said in my edit, how else will an auth cookie persist beyond app restarts etc? This is why if this is a concern for you, you should also check some session based value as well - that will not be recreated by the fiddler request.

Zhaph - Ben Duguid 2009-07-22 08:46:10

Sir,I am clearing all the session and cookies at loagut. It means cookies at client will be clear as well as session at server will removed. Now i point which i am not able to get is that how ASP.NET application validate cookies from fidler if that cokkies/session information is deleted by server at the time of logout from application?I am very thankful to you if you explain me what i have missed?

Hemant Kothiyal 2009-07-22 08:46:31

The membership cookie is validated via a MAC signing technique. A captured cookie is valid because it's been signed correctly. Cookies do not live on the server so there is no server side clearing for them. If you send a valid session ID cookie and the session does not exist then a new, empty session is not created. None of this is a problem at all.

blowdart 2009-07-22 17:28:39

Thanks Zhaph for details.So it means we should mannually create authentication ticket inside formauthentication cookie and apart from that also add some extra information of user .One point i would like to clear here that whether i should mannualy validate extra information from cookie value or ASP.NET automatically validate it.?

Hemant Kothiyal 2009-07-23 05:47:58

Hi,BlowdartThanks to make this topic clear to me.As its explained by Zhaph that authentication ticket if recreated by client (even after logout) then server will process the page functionality. and to stop that i would like to add another details of user which will again revalidate at page. So to meet this i need to manually validate cookie value at every page. I am right or there is something else which i missed?

Hemant Kothiyal 2009-07-23 06:19:14

ansaurus

tags:

views:

answers:

Problem in Form authentication.

related questions