Security of cookies generated by ASP. NET Forms authentication

Author: Wood ant community Source: www.mumayi.net Release Date: 0:19:48

I did this experiment because of http://community.csdn.net/Expert/topic/3927/3927012.xml? Temp =. 3752405. At first, I thought that. Net authentication should be relatively safe, and the generated cookie should also be related to the unique parameters of this computer. It should be ineffective if it is obtained on another computer. Is a user name corresponding to a cookie value? Can I cheat form verification by forging the cookie value? Perform some experiments. Modify web. config as follows: <Authentication mode = "forms"> <Forms name = "mylab" loginurl = "/login. aspx"> <Credentials passwordformat = "clear"> <User name = "fancyray" Password = "fancyray"/> </Credentials> </Forms> </Authentication> <Authorization> <Deny users = "? "/> </Authorization> Login. aspx only has one user name input box txtusername, one password input box txtpassword, and one submit button. The click event is as follows: If (formsauthentication.authenticate(this.txt username. Text, this.txt password. Text )) { Formsauthentication.redirectfromloginpage(this.txt username. Text, true ); } Else { Response. Write ("Login denied "); } With iehttpheaders (http://www.blunck.info/), you can see that after verification, a cookie like this is added: Mylab = Workshop It seems that this is the encrypted cookie. Next we need to change to a computer and set this value to Cookie to see if forms verification is required. Add the following sentence to the login. ASPX page: <Script language = JavaScript> Document. Cookie = "mylab = Workshop "; </SCRIPT> In this way, the cookie is automatically added as soon as the login. ASPX page is opened. Another COMPUTER: enter another page under the same webapplication (it should automatically jump to login. ASPX page) http: // 10.0.0.7/upload. the http: // 10.0.0.7/login. aspx? Returnurl = % 2fupload. aspx, normal. At this time, the cookie value should have taken effect. Then, enter the URL http: // 10.0.0.7/upload. aspx of the page! According to my guess, it will definitely jump to the login. ASPX page, because the cookie is generated on another computer. Actually, no jump! The content of upload. aspx is displayed completely! We didn't log on to this computer at all, even we didn't even know the user name! I went back to 10.0.0.7. the first line of page_load () on the ASPX page adds: response. write (user. identity. name);, refresh the displayed upload on another computer. aspx, fancyray is also displayed, which is my user name. This indicates that cookie encryption does not depend on the login computer. That is to say, once your cookie is obtained by someone else, it is possible for someone else to gain your permissions on this server. So how does the cookie value come from? Is it possible for hackers to obtain this value without passing the exhaustive action? Let's take a look at what is stored in cookies and how to encrypt them. Reflactor (http://www.aisto.com/roeder/dotnet) on! Public static void setauthcookie (string username, bool createpersistentcookie, string strcookiepath) { Formsauthentication. initialize (); Httpcontext. Current. response. Cookies. Add (formsauthentication. getauthcookie (username, createpersistentcookie, strcookiepath )); } Public static httpcookie getauthcookie (string username, bool createpersistentcookie, string strcookiepath) { Formsauthentication. initialize (); If (username = NULL) { Username = ""; } If (strcookiepath = NULL) | (strcookiepath. Length <1 )) { Strcookiepath = formsauthentication. formscookiepath; } Formsauthenticationticket ticket1 = new formsauthenticationticket (1, username, datetime. Now, createpersistentcookie? Datetime. Now. addyears (50): datetime. Now. addminutes (double) formsauthentication. _ timeout), createpersistentcookie, "", strcookiepath ); String text1 = formsauthentication. Encrypt (ticket1 ); Formsauthentication. Trace ("ticket is" + text1 ); If (text1 = NULL) | (text1.length <1 )) { Throw new httpexception (httpruntime. formatresourcestring ("unable_to_encrypt_cookie_ticket ")); } Httpcookie cookie1 = new httpcookie (formsauthentication. formscookiename, text1 ); Cookie1.path = strcookiepath; Cookie1.secure = formsauthentication. _ requiressl; If (ticket1.ispersistent) { Cookie1.expires = ticket1.expiration; } Return cookie1; } The value stored in the cookie is text1, and text1 is generated by string text1 = formsauthentication. Encrypt (ticket1);. Therefore, the information in text1 is ticket1. Formsauthenticationticket constructor is: Public formsauthenticationticket (INT version, string name, datetime issuedate, datetime expiration, bool ispersistent, string userdata, string cookiepath) It contains the user name, the time when ticket1 is generated, and the expiration time. I couldn't help but tremble. Ticket1 actually only uses the user name as a key information and does not even use the password! Isn't ticket1 easily created by any user? As long as formsauthentication. Encrypt (ticket1) is used to obtain the cookie value, which is disguised as any user? It's terrible. Now you can only hope for the encrypt function. Let's take a look at its implementation: Public static string encrypt (formsauthenticationticket ticket) { If (ticket = NULL) { Throw new argumentnullexception ("ticket "); } Formsauthentication. initialize (); Byte [] buffer1 = formsauthentication. maketicket=binaryblob (ticket ); If (buffer1 = NULL) { Return NULL; } If (formsauthentication. _ protection = formsprotectionenum. None) { Return machinekey. bytearraytohexstring (buffer1, 0 ); } If (formsauthentication. _ protection = formsprotectionenum. All) | (formsauthentication. _ protection = formsprotectionenum. validation )) { Byte [] buffer2 = machinekey. hashdata (buffer1, null, 0, buffer1.length ); If (buffer2 = NULL) { Return NULL; } Formsauthentication. Trace ("encrypt: Mac length is:" + buffer2.length ); Byte [] buffer3 = new byte [buffer2.length + buffer1.length]; Buffer. blockcopy (buffer1, 0, buffer3, 0, buffer1.length ); Buffer. blockcopy (buffer2, 0, buffer3, buffer1.length, buffer2.length ); If (formsauthentication. _ protection = formsprotectionenum. validation) { Return machinekey. bytearraytohexstring (buffer3, 0 ); } Buffer1 = buffer3; } Buffer1 = machinekey. encryptordecryptdata (true, buffer1, null, 0, buffer1.length ); Return machinekey. bytearraytohexstring (buffer1, buffer1.length ); } Seeing the word machinekey, I finally breathed a sigh of relief. It seems that the encryption and decryption process is related to the server parameters. That is to say, the server has its own key. Only this key can be used for Cookie encryption and decryption. If you do not know the key, others cannot forge cookies. It seems that cookies are safe, and your computer is not compromised. Like any other information, you only need to pay attention to the security of network transmission. The cookie value is the same as sessionid, which may cause security problems once guessed. However, it is different from sessionid because sessionid is always short and the cookie value may always be valid. The length of the cookie value also gives us a little bit of attention. Another problem cannot be ignored. Although the cookie value is generated according to the specific time, that is, the cookie generated after I log out again is different, but a valid cookie value is permanently valid, the password and time are not affected. That is to say, the cookie I generated last time can still be used on another computer after I deregister it, as long as the server's machinekey remains unchanged. It is indeed a security risk. We can only say: "the cookie value is very long, so we need to raise a valid cookie that we cannot do in our lifetime." To find some comfort. The password can be frequently changed to further reduce the possibility of exhaustion, but the valid cookie cannot be changed. The password is unique, but the valid cookie value is not unique. This is not reassuring. It may be redundant because electronic signatures and certificates are built on the basis of a "costly effort". If we consider the situation that "It happens to be exhausted, security no longer exists. I believe that in the general security field, the security level of cookies generated by forms is sufficient. Use it with confidence! (When you haven't read another valuable article)