I thought the .ASPXAUTH was for user authentication? Can anyone confirm if this cookie is indeed a security risk and/or contains session information? Is it even suppose to be used or is it some debug thing?
View 1 RepliesIn javascript alert(document.cookie); does not show the .ASPXAUTH Cookie although a sniffer is showing it,
I need it because I have an AJAX Request to the server, the request should not take place when the user is already logged in,
if I cannot check .ASPXAUTH for security reason, what I should do to check whether the user is already logged in.
I have a curl script that logs in to two other websites to submit forms from behind the login successfully. However, I've recently tried to use a variation of this script for a third website. It works as far as returning the first page after login but then it treats any further cURL calls as if I haven't logged in. I discovered (well I think) that it's to do with the .ASPXAUTH cookie not being set. I do have a cookiefile and cookiejar setup in my cURL code and it catches the .ASP.NET_SessionID successfully, but not the ASPXAUTH cookie.
I noticed that I can see the .ASPXAUTH cookie value in the headers when I watch "Live HTTP headers" but I can't get my cURL script to return the header with this set-cookie very easily. It seems that the cookie is set on a 302 after login and cURL is not handling this correctly. So I turned off CURLOPT_FOLLOWLOCATION and was trying to handle the redirect myself but I still can't get it right (the server returns a really strange redirect url and I don't think I'm doing this part right)
Here is my code:
[code]....
Due to a bug in Flash, I have to use the ASPXAuth cookie to log a user in on a page that a flash upload script calls after upload. See this page for more information: [URL]
I have to make the ASPXAUTH string "public" in the sense that it will be in the HTML of the page. My question is, how secure is this?
I understand that anyone that can get to the string in the HTML can probably get to it from the cookie just as easily, but let's say someone does have this ASPXAUTH string. Is it possible that they can login as another user using this cookie? Would they be able to decrypt it?
I'm using ASP authentication and the integrated webservice.
The user logins in with Forms authentication on a login page.
To log out, I call the authentication webservice from Silverlight and call logout.
Everything worked OK but now sometimes IE gets crazy and doesn't log out the user anymore.
I used Fiddler and it turns out that the authentication service returns a SetCookie to clear the ASPXAUTH cookie but on the next call IE still has the cookie set.
So off course because the cookie is there the user is authenticated and logs right back in rather than being directed to the login page.
I checked and didn't see any other description of the issue.
I can't reproduce it and my colleagues that have a misbehaving IE have it working fine on one environment and not on the other (one has the issue for DEV and another has the issue for the PreProd server).
Without reading the whole text below, since this is on the ASP.Net side ... basically I think I need to know if there is a way to reduce the size of the forms authentication cookie. When using a DotNet 2.0 website, the ASPXAUTH cookie is about 232 bytes ... when using the same source code but upgraded to DotNet 4.0. the cookie is approximately 264 bytes, setting the ticketCompatabilityMode does not reduce the size since I think the default setting is Framework20. I length of the cookie, including the its' name can not be larger than 256 bytes in order to use it with the "Client Application Services".
I only did a cursory search of the asp.net forums, but will dilligently look for an existing solution.
----- BACKGROUND AND RESEARCH -----
I have been using all three features of client application services (authentication, profiles, and roles) in my windows app (DotNet 3.5 framework) for almost two years now. Up until now, I have not had any problems. This week I hit a brick wall and am pretty stumped with two seperate but related issues.
Issues:
In development, we decided to upgrade our websites/services to DotNet 4.0. All applications upgraded successfully. However we are unable to log into our application using Client Application services. No matter what user we use, Membership.ValidateUser returns false. Since we know the username and passwords, we thought this was strange. When debugging the application, we found that Membership.ValidateUser was throwing an InvalidOperationException (see below for complete exception) stating that the ASPXAUTH property was too long, longer that the schema created in the SQL/CE database. (See below for things tried).
In production .. A user all of the sudden could no longer gain access to the application. Upon inspection, his ASPXAUTH cookie was 264 characters long (9 characters longer than the schemas nvarchar(256)). Even though the user was being authenticated on the "server side", and the JSON query returned "{"d":true}", Membership.ValidateUser returned false. Again, as in the case above, the actual error was ...
Message=@PropValue : String truncation: max=256, len=264 ...
I am assuming I am missing something very simple or that I overlooked a settings. In development, this is not a huge issue as I can release the Dotnet 4.0 websites when I am ready. But now that this has happened to a client on a production system, it is very worrisome.
[code]....
Can somebody explain what ASPXAuth cookie does?
My website uses forms auth and I am trying to create a load balancer (hardware) rule which will keep track of sessions based on the aspxauth cookie. Is it safe assume that the value of the cookie is unique?
Is it possible to use mixed cookieless sessions with cookie sessions? I've an application that captured user details and then redirect for payment to an ssl page. I was wondering if this is possible? [URL] redirects to [URL] Note: the session Id in the latter url. So in essence, we use the standard cookie session for the majority of the application but when we transfer to an ssl page we pass the SessionId to the https url to pick up the session. I've tried this locally but it starts a new session.
View 1 RepliesI need to make my asp.net session cookie as secure but whenever i check user authentication and after that i am trying to set cookie to true then my session lost my user information and so it always redirect login page. I am settings user to HttpContext.Current.Session["user"] and check every time, is user is valid and if valid then move ahead. but before that i make my asp.net session cookie as true.
[Code]....
but after that i observe that somehow "Session_Start" event gets called.
(i) I have a simple application where I am getting data from a textbox and storing it in a cookie. I noticed that unless I set the Autopostback value of the textbox to TRUE, nothing is stored. Does anyone know why this is the case?
The code I am using are as follows:
[Code]....
in asp.net mvc, how to use session and cookie ?
I am trying to understand how a login session stored and implemented.
I'm surprised i couldnt find any answers.
How do i set my sessionid in my cookie to expire at the end of session? (when the browser closes or the user has been inactive for a period of tie).
The two solutions i found were
(httpcookie).Expires = HttpContext.Current.Session.Timeout
Which gave me a compile error so i dont know if the user checked his code before posting. And the other was to set the expire date to 1 day ago which my gut says is wrong. How do i do this?
I've got a session/coockie from a phpbb forum. But i use in the website asp.net (the website has a different url and domain then the forum).
Can i get the session/coockie from the phpbb forum in the asp.net website?
I say until you log out, session times out or you close the browser. But am I right?
I had an interview today and the interviewer wanted to know if I log into a page and closes the browser (without logging off), what happens to the session.
I said that the session will be orphaned. He says no - because their users are able to connect back to the session by just opening up the browser (using a cookie only). I told him that's a persistent cookie - not a session cookie. And I said that if that's the cause, there is nothing preventing the user from exporting the [persistent] cookie to a another computer and starting the session on that computer.
At first he said you can;t export a cookie but when I explained how, he said that he'll look but since many many people including 2 architects came up with the design, it is unlikely they are all wrong.
The default cookie name for the Session Id in ASP.NET is ASP.NET_SessionId. It's also possible to change this name to something else like <sessionState cookieName="FooBar" />.
Is there a member to easily access this name like with FormsAuthentication.FormsCookieName?
I have been trying to do this all day but nothing seems to work. SOMEONE please enlighten me !!! I am adding products to a string and displaying them in another page. All is good .... up till here.
Now I have a problem when saving these strings (ie: the added products) into gridview. I tried using objectdatasource but I'm getting confused. Anyone done this before ? Basically when the products are in gridview I want the user to press 'purchase items' button, and the items are written to the database.
In web development, when session state is enabled, a session id is stored in cookie(in cookieless mode, query string will be used instead). In asp.net, the session id is encrypted automatically. There are plenty of topics on the internet regarding how you should encrypt your cookie, including session id. I can understand why you want to encrypt private info such as DOB, but any private info should not be stored in cookie at first place. So for other cookie values such as session id, what is the purpose encryption? Does it add security at all? no matter how you secure it, it will be sent back to server for decryption.
Be be more specific, For authentication purpose, turn off session, i don't want to deal with session time out any more store some sort of id value in the cookie, on the server side, check if the id value exists and matches, if it is, authenticate user. let the cookie value expire when browser session is ended, this way. vs Asp.net form authentication mechanism (it relies on session or session id, i think) does latter one offer better security?
We have a local homepage, which connect to our production security environment. When I need to test my site in test environment, I need to get fresh cookie (not the one that was sent to me via production security service, when I opened IE with local homepage).
I am getting fresh cookie fine in Mozilla; but in IE I always have production cookie, and this disables my testing. What I should fix here?
I usually like to do it the hard way,just to get a feel of what you can do!In ASP.net there is probably a really simple way Forms authentication etc.but this is what I have.I know from previous experience that you should never save a Cookie that contains a password,so how to connect a session to a cookie when the user accesses the website,with saved cookies information.
I though about using a Guid,in the cookie,and then check the database to see if that guid is available,but this could be a sort of password like effect.
[Code]...
My boss does like storing the connection string and credentials in the web.config - even when its encrypted.
He also doesnt want the IIS box and SQL box to both be in the same domain, or have trusted domains.
Is there a more secure method of connecting to SQL? Is there some kind of token login?
Can i still store value in session if in browser cookie is disabled?
View 2 RepliesIs it possible to get session cookie name in medium trust level? The code below works in full trust, but throws a security exception in medium trust level.
string sessionCookieName = ((SessionStateSection)WebConfigurationManager.GetSection("system.web/sessionState")).CookieName;
I'm using ASP.NET Session State to keep track of logged in users on my site. However, one problem I'm running into is that by default ASP.NET session cookies are set to expire when the browser closes. I've tried setting my own ASP.NET_SessionId cookie and modifying the cookie's expiry using something similar to the following code:
Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddMonths(1);
None of these approaches work, they all set a second cookie with the same name. Is there a way of changing the session cookie's expiry?
I would like to change ASP.NET session cookie name "ASP.NET_Sessionid" to some other name. I specified <sessionState cookieName="MyCookieName" />. When I use fiddler to view response header, I can see "MyCookieName" with random generated number under cookie section, however, ASP.NET_SessionId also exist there.
View 2 RepliesI have a .net webapplication with the following domains:
www.domain.com
sub.domain.com
files.domain.com
When a user is logged on to domain.com or sub.domain.com, I'd like them to share session state (i.e. be logged into both domains at once). This is possible to do by setting the domain on the session coookie to be ".domain.com". However, my problem is that the domain "files.domain.com" should not have session state due to security issues (xss attacks from user-made files hosted on that domain is an issue).
Is it possible in ASP.NET to use the same asp.net session id for these two domains, but not the third one?