views:

46

answers:

1

Asp.net stores the session in a cookie, thus not having to worry about sessions on the server side (traditionally sessions are stored in a database, and lookups are done via a session ID, which is usually a Guid like string).

In my previous question, I was asking about how a spring application stores/creates sessions etc: http://stackoverflow.com/questions/2069392/springs-authentication-does-it-use-encrypted-cookies

Cletus pointed out that storing a username/id in a cookie, although encrypted, is a security issue because the would-be-hacker has both the encrypted text, but also the hacker knows what the actual encrypted text is i.e. the userId or username.

What are you thoughts on this? I am sure StackOverflow is also using this mechanism, as is **99.9% of asp.net web applications that are using formsauthentication in this manner. Microsoft's MSDN site itself is filled with examples like:

 FormsAuthentication.RedirectFromLoginPage(UsernameTextbox.Text, NotPublicCheckBox.Checked);

In the above code, the username value is stored in the encrypted cookie. actually, I recall that the asp.net website was hacked because the web.config didn't have the Protection=All in the forms authentication tag. So is this a real issue? To repeat what cletus linked to: In case you're wondering what a "crib" is. see: http://www.faqs.org/faqs/cryptography-faq/part03/

Cryptanalytic methods include what is known as practical cryptanalysis'': the enemy doesn't have to just stare at your ciphertext until he figures out the plaintext. For instance, he might assumecribs''---stretches of probable plaintext. If the crib is correct then he might be able to deduce the key and then decipher the rest of the message. Or he might exploit ``isologs''---the same plaintext enciphered in several cryptosystems or several keys. Thus he might obtain solutions even when cryptanalytic theory says he doesn't have a chance.**

+1  A: 

Maybe you should take a look into this document: Improving Web Application Security: Threats and Countermeasures -- Threat Modeling

It's a good start point to understand what security risks are involved and how can you mitigate that threats.

Rubens Farias