tags:

views:

289

answers:

1
+1  Q: 

Authentication ticket ( Forms authentication )

Hello,


Q1 - Forms authentication module encrypts its authentication information ( ticket ) before placing it in a cookie.

Now, little I know of encryption algorithms is that they usually use some randomly generated value to encrypt and decrypt a piece of data. Thus if same algorithm uses value A to encrypt some data, then it will also need same value in order to be able to decrypt this data.


A) Since several users could be logged on ( via Forms authentication module ) to a particular web application, will authentication information for each of these users be encrypted with the same randomly generated value?

  • If yes, then doesn’t that represent a security risk?


  • If no, then when upon next request Asp.Net receives the authentication cookie ( which contains the ticket )from the user, how will it know which randomly generated value it used to encrypt the ticket ( I’m assuming it needs this same value to decrypt the ticket )


Q2 Authentication ticket contains several pieces of information about the authenticated user, but which piece of these data actually tells Asp.Net ( when user again requests a page ) that it is dealing with already authenticated user?


thanx

+4  A: 

Q1: Forms authentication uses machineKey to encrypt the cookie. Since its value is constant in machine.config ASP.NET is able to decrypt cookies encrypted with the same key.

The cookies are encrypted with the same key but this key is known only to the server, which means that the user cannot tamper with the data of the cookie and thus cannot impersonate another user, so it is not a security risk to use the same private key to encrypt cookies.

Q2: The ticket contains the following information: the username and a date which is used to determine if it is valid (if sliding expiration is set, ASP.NET could rewrite the cookie as it checks its validity on every request). If the cookie is sent by the client and when it gets decrypted it is still valid, ASP.NET assumes that the client is authenticated.

Darin Dimitrov  2009-05-02 20:45:32
You can also use an autogenerated machineKey, which I believe will be generated and cached at application startup.
Simon Svensson  2009-05-02 20:55:40
thanx for your help
SourceC  2009-05-02 23:40:15

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?