tags:

views:

245

answers:

2
+1  Q: 

asp.net membership provider compromised?

I'm using the standard out-of-the-box aspnet membership provider, and I have the following settings in the web.config:

<anonymousIdentification enabled="false"/>
<authentication mode="Forms">
    <forms cookieless="AutoDetect" loginUrl="~/XXXX.aspx" name="XXXXAuth" slidingExpiration="true" timeout="432000"/>
</authentication>
...
<membership defaultProvider="XXXMembershipProvider">
    <providers>
     <add name="XXXMembershipProvider" type="System.Web.Security.SqlMembershipProvider" applicationName="XXX" connectionStringName="XXX" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="true" minRequiredPasswordLength="5" minRequiredNonalphanumericCharacters="0" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/>
    </providers>
</membership>

Today I have had an issue where a user has reported that they went to log-in and noticed that the site was saying they were already logged-in.... as a completely different user. After contacting both users, it turns out neither accesses the site from a shared computer. Neither account's data shows any sign of being "hacked" in the database.

The is hosted on two web servers behind a load balancer. The database architecture is one server for reads, one for writes with replication keeping them in sync.

Does anyone know what might have occured to cause this?

+1  A: 

An option that can make this happen is the cookieless=AutoDetect. If one user's browser doesn't support cookies, asp.net will embed the encrypted authentication ticket in the url. If the user happened to either share a link with the other, or less directly posted it on a forum, (s)he is giving unintended access to his(her) account.

eglasius  2009-03-23 15:56:06
Paul Suart  2009-03-23 16:33:09
A: 

I'm wondering how smart the load balancer is, and if it's caching pages as well.

The membership cookie is pretty damned locked down, so it's very very doubtful it's been compromised. If the load balancer is also caching it may well not be passing the request on.

blowdart  2009-05-27 18:50:25

related questions

Why do custom membership provider files have to be in the app_code folder of my web app?
How to tell if I'm running under a web server or not?
What is the difference between a Provider and a Connector in database world?
Best way to annotate provider chains
Simple (Dumb) LINQ Provider
Integrating custom membership provider in existing solution
How to choose an Oracle provider for .Net application?
Writing Custom Roles Provider For Master Pages/No Machine.Config
Creating dtrace probes for plugins using single provider name
Provider Pattern & DefaultProvider
using asp.net membership provider how to check if the user is registered or not?
need an alternative to the provider pattern
How do I get the _count in my content provider?
Accessing the Profile object from Code Behind Bug? (ASP.NET 2.0 Provider Model)
What part of LINQ to SQL's provider model makes it impossible to extend it to support third party (read: Non-Microsoft) databases?
Best RDBMS for use from VB6
Entity classes decoupled from LINQ to SQL provider for implementing the Repository pattern. How?
Is there any way to use XmlSiteMapProvider within WinForm/Console/VSTest application?
Weather web service for Europe?
Implementing Profile Provider in ASP.NET MVC
Oracle ASP.net Provider-model objects performance
Alternative to FreeLists for hosting my (developer/software) maling lists?
ASP.NET LocationProvider
VFP .NET OLEdb provider does not work in Win 64-Bits. Help