的FormsAuthenticationTicket不能失效的服务器端。造成的cookie回复攻击 [英] FormsAuthenticationTicket cannot be invalidated server side. Causing cookie reply attacks

问题描述

我必须使用窗体身份验证的成员ASP.NET Web应用程序。我们最近一直渗透测试，这是一个标记问题是窃取用户帐号的能力。如果.ASPXAUTH cookie值是从用户注销用户可以登录为不同的用户之前复制，编辑cookie来匹配复制的值，并得到所有的特权的。

在登出我曾尝试：

删除的cookie。我能成功地做到这一点，但它并没有无效的FormsAuthenticationTicket。

使用 FormsAuthentication.SignOut（）但发现它没有prevent攻击

我个人不认为这是一个问题，我相信它可能被窃取的唯一方法是，如果一个使用设法获得一个身份验证的用户此说，我需要解决这个问题，以安抚渗透测试。

任何意见将大大AP preciated！
谢谢

解决方案

  

在登出我曾尝试：删除cookie的结果
  我能成功地做到这一点，但它并没有无效的FormsAuthenticationTicket。

其实，当你删除的cookie，你从你的用户删除它 - 你不能去激活它，所以如果有一个人得到它，他仍然可以使用它

该解决方案可以是：

• 保存身份验证cookie的地位也在服务器。


• 连接登录的用户的身份与他们的会话。

了解更多关于也在这里：<一href=\"http://stackoverflow.com/questions/2498599/can-some-hacker-steal-the-cookie-from-a-user-and-login-with-that-name-on-a-web-s\">Can一些黑客从用户窃取cookie并在网站上使用该名称登录？

和<一个href=\"http://stackoverflow.com/questions/16062808/form-authentication-cookie-replay-attack-protection\">Form验证 - 曲奇重放攻击 - 保护

和 http://support.microsoft.com/default ？的.aspx SCID = KB; EN-US; 900111

I have an ASP.NET web application using forms membership authentication. We have recently been penetration tested and an issue that was flagged was the ability to steal a users account. If the .ASPXAUTH cookie value was copied from a user before logging out a user could log in as a different user, edit their cookie to match the copied value and get all of their privileged.

On logging out I have tried:

Removing the cookie. I could successfully do this but it doesn't invalidate the FormsAuthenticationTicket.

Using FormsAuthentication.SignOut() but found it does not prevent the attack

I personally dont see this as a problem, I believe the only way it could be stolen is if a use manages to gain access to an authenticated user this said I need to fix this problem to appease the penetration testers.

Any ideas would be greatly appreciated! Thanks

解决方案

On logging out I have tried: Removing the cookie.
I could successfully do this but it doesn't invalidate the FormsAuthenticationTicket.

Actually when you remove the cookie, you remove it from your user - you can not de-activate it, so if some one get it, he can still use it.

The solutions can be:

• Save the status of the authentication cookie also on server.
• Connect the status of logged user with their session.

Read more about also here: Can some hacker steal the cookie from a user and login with that name on a web site?

and Form Authentication - Cookie replay attack - protection

and http://support.microsoft.com/default.aspx?scid=kb;en-us;900111

这篇关于的FormsAuthenticationTicket不能失效的服务器端。造成的cookie回复攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！