tags:

views:

197

answers:

1
+1  Q: 

FormsAuthentication.FormsCookiePath

Hello,


Q1 I’ve read that when setting the timeout of an authentication cookie, we should keep in mind that the longer the cookie persists, the greater the chance of a cookie being stolen and misused.


A) But assuming we secure our application against replay attacks by enabling SSL for the entire application, and since forms authentication module also encrypts authentication data in authentication cookie, then I would think there is no chance of this cookie being misused and thus cookies being persisted for longer periods of time should not present any security risks?!


Q2

FormsAuthentication.FormsCookiePath specifies where authentication cookie is stored. Default value is ‘/’.

A) Assuming default value ’/’ is used, where is cookie saved then?

B) Is this option only used for persistent cookies?


thanx

+2  A: 

2A The cookie path is the path on the server the cookie relates to, not the path where the cookie is store.

From http://www.quirksmode.org/js/cookies.html

The path gives you the chance to specify a directory where the cookie is active. So if you want the cookie to be only sent to pages in the directory cgi-bin, set the path to /cgi-bin. Usually the path is set to /, which means the cookie is valid throughout the entire domain. This script does so, so the cookies you can set on this page will be sent to any page in the www.quirksmode.org domain (though only this page has a script that searches for the cookies and does something with them).

You are using ASP.Net. Also see the "CookieLess" Session and Authenication options e.g. http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.formscookiepath.aspx If you are worried about cookies. This uses a URL session ID instead to track your session.

You can also use a SQL Server to track session state or a State server. e.g.

<sessionState mode="SQLServer" sqlConnectionString="SQLSessionDB" cookieless="false" timeout="65" cookieName="MSESSID"/>

1A. SSL encrypts transport. Hence your cookies will be less likely to be stolen on route to the client or back. That doesn't mean a malicious program on the client computer can't steal it. This is very unlikely though.

kervin  2009-05-18 19:35:26
So if we override the FormsAuthentication.CookieDomain property, then several applications will use same authentication cookie. But if we also set FormsCookiePathproperty to a particular directory, then only applications contained inside this directory will use same application cookie?
SourceC  2009-05-18 20:17:42
Ps - I'm not sure what happened, but I can't give your answer a point. I probably hit the wrong button, which gave it -1 point. i apologize for it
SourceC  2009-05-18 20:20:05
No problem about the points. Hope the answer helps. Try to think more about the browser than the server when dealing with cookies. I would set my domain and a liberal path. You can further restrict access using a web.config in the protected folders. See http://www.devhood.com/Tutorials/tutorial_details.aspx?tutorial_id=85 for some examples. The idea is that browser will only send the cookie to URLs within the path. Here's some background... http://en.wikipedia.org/wiki/Basic_access_authentication
kervin  2009-05-18 20:37:03
It sure did :). Thanx mate
SourceC  2009-05-18 21:35:44

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?