Cookies attack and Prevention

Cookie and authentication
Cookies exist because they can help developers achieve a certain purpose. Cookie acts as a persistent link between the browser and the server. Especially for applications that use a single LoginProgramFor example, the stolen cookie makes the attack a possible culprit. This is true for a click attack.

To use cookies, you do not need to explicitly create and read them programmatically. If you use session Status and form authentication, you use cookies implicitly. Of course, ASP. NET supports cookie-free session states, and ASP. NET 2.0 also introduces form authentication without cookies. Therefore, theoretically, you can use these functions without a cookie. I am not saying that you no longer have to do this, but in fact this is one of the worse cases of therapy than disease. A cookie-free session actually embeds the session ID in the URL so that everyone can see it.

What are the potential problems related to the use of cookies? Cookie may be stolen (that is, copied to the hacker's computer) and poisoned (that is, it is filled with malicious data ). These operations are usually a prelude to an attack. If the cookie is stolen, it will "authorize" external users to connect to the application in Your name (and use protected pages), which may make it easy for hackers to bypass authorization, the role and security settings allow the victim to perform any operations. Therefore, the authentication cookie is usually given a relatively short lifetime, that is, 30 minutes. (Please note that the cookie will still expire even if it takes longer to complete the browser session .) In case of theft, hackers have 30 minutes to try the attack.

You can extend the time limit to avoid users having to log on too frequently. However, please note that this will put yourself in danger. ASP. NET persistent cookies should be avoided in all circumstances. It will cause the cookie to have almost permanent lifetime, up to 50 years! The followingCodeThe snippet demonstrates how to easily modify the cookie expiration date.

Void onlogin (Object sender, eventargs e ){
// Check Credentials
If (validateuser (user, pswd )){
// Set the Cookie's expiration date
Httpcookie;
Cookie = formsauthentication. getauthcookie (user, ispersistent );
If (ispersistent)
Cookie. expires = datetime. Now. adddays (10 );

// Add the cookie to the response
Response. Cookies. Add (cookie );

// Redirect
String TargetUrl;
TargetUrl = formsauthentication. getredirecturl (user, ispersistent );
Response. Redirect (TargetUrl );
}
}

You can use this code in your login form to fine-tune the lifetime of the authentication cookie.