i am trying to secure cookies in my asp.net 2.0 web application but web i try to use the following code in web.config
<httpRuntime enableVersionHeader="False"/>
<httpCookies httpOnlyCookies="true" requireSSL="true"/>
I have a doubt regarding secure cookie.
I have four servers 2 App Server(behind firewall) and 2 webservers and each server is accessing through Load Balancer.
App Server is a modules for Data Access layer and webserver is for Presentation layer.
My Issue is My Load Balancer has Secure certificate installed but certificate is not installed on servers and I want to make cookie as secure in site , as per my understanding " cookie should be set as secure only for SSL site other ways new session will get create every time" so should I install SSL certificate on webserver to make my cookie as secure or will it work properly even if only Load Balance has SSL.
I have a GUI when i log in i create a cookie and it encrypt it. I am usin SSL.
I check in the Login.aspx page if the cookie is secure, which it is. but then before going to the default page it goes to the Global.ascx page.
Here in the Application_AuthenticateRequest it gets the cookie and decrypts it for the default page..
Now i know that it is getting the same cookie as all the other attributes match the one that was created in the Login.aspx page excet that the secure value is "False".
this is the case for all other pages after default. the value of the cookie.secure is false.
why is this happening as i want all the pages to be secure by SSL.
Also the pages are opening as https not http.
here is my web.config
[code]....
I want to save the user_email and user_password in my website Session and clear it when loggin out but i wantg to know how secure it is to store passwords?
View 3 RepliesI usually like to do it the hard way,just to get a feel of what you can do!In ASP.net there is probably a really simple way Forms authentication etc.but this is what I have.I know from previous experience that you should never save a Cookie that contains a password,so how to connect a session to a cookie when the user accesses the website,with saved cookies information.
I though about using a Guid,in the cookie,and then check the database to see if that guid is available,but this could be a sort of password like effect.
[Code]...
I have a littel problem.
In my asp.net application iam using Form FormsAuthentication.... and also use a session var to save a userID..
The problem is that ´when my session espire, the Form cooki is not expired.
I want form cooki to expire, when session expires....how?
Do i have to do it in Session_end event..
How do the code look like?
How can I transfer the login session of a user into a Cookie that would expire in 12 hours? I have a problem with Internet Explorer where whenever the user closes the window it would log them out automatically (which is by default what it is supposed to do). I am using VB.NET
View 4 RepliesI've recently read one of Jeff's articles about XSS and it got me thinking about how to better protect the login cookies in my home cooked authentication system.
[code]....
so one of the questionable things I do is use the UserAgent string. Is there harm in doing this? Or browsers which will change their UserAgent string under normal operation(as in, without being updated)? My goal is basically for if an attacker gets a login cookie, for them to not be able to do anything with it. At the moment, the only info I store in the cookie plain text is the username.
I have a custom mini login user control that I have embedded in the top of my website which shows on every page. These pages are non-secure HTTP://. I would like to avoid having to redirect the user to a HTTPS page to perform the login but I definitely don't want to send login credentials to the server in plain text.
I am trying find a method to send the user's login credentials encrypted via https from a non-secure (http) page.
I tried to set the postbackurl for the login button to itself but in https, but the user's input is not retained and the buttonLogin_click is not fired when I set the button postbackurl property. My ASP.net web application is VB.Net framework 4.0
I am assuming this can be done because I see lots of websites where login fields are on available on every page and they are running http and I can believe they are not encrypting the login credentials.
I need to make my asp.net session cookie as secure but whenever i check user authentication and after that i am trying to set cookie to true then my session lost my user information and so it always redirect login page. I am settings user to HttpContext.Current.Session["user"] and check every time, is user is valid and if valid then move ahead. but before that i make my asp.net session cookie as true.
[Code]....
but after that i observe that somehow "Session_Start" event gets called.
Is it possible to use mixed cookieless sessions with cookie sessions? I've an application that captured user details and then redirect for payment to an ssl page. I was wondering if this is possible? [URL] redirects to [URL] Note: the session Id in the latter url. So in essence, we use the standard cookie session for the majority of the application but when we transfer to an ssl page we pass the SessionId to the https url to pick up the session. I've tried this locally but it starts a new session.
View 1 Repliesin asp.net mvc, how to use session and cookie ?
I am trying to understand how a login session stored and implemented.
I'm surprised i couldnt find any answers.
How do i set my sessionid in my cookie to expire at the end of session? (when the browser closes or the user has been inactive for a period of tie).
The two solutions i found were
(httpcookie).Expires = HttpContext.Current.Session.Timeout
Which gave me a compile error so i dont know if the user checked his code before posting. And the other was to set the expire date to 1 day ago which my gut says is wrong. How do i do this?
I've got a session/coockie from a phpbb forum. But i use in the website asp.net (the website has a different url and domain then the forum).
Can i get the session/coockie from the phpbb forum in the asp.net website?
I say until you log out, session times out or you close the browser. But am I right?
I had an interview today and the interviewer wanted to know if I log into a page and closes the browser (without logging off), what happens to the session.
I said that the session will be orphaned. He says no - because their users are able to connect back to the session by just opening up the browser (using a cookie only). I told him that's a persistent cookie - not a session cookie. And I said that if that's the cause, there is nothing preventing the user from exporting the [persistent] cookie to a another computer and starting the session on that computer.
At first he said you can;t export a cookie but when I explained how, he said that he'll look but since many many people including 2 architects came up with the design, it is unlikely they are all wrong.
The default cookie name for the Session Id in ASP.NET is ASP.NET_SessionId. It's also possible to change this name to something else like <sessionState cookieName="FooBar" />.
Is there a member to easily access this name like with FormsAuthentication.FormsCookieName?
Example scenario:
User login has a list of associated 'accounts' it has access to... this list of accounts is stored in a database table, say tblAccountAccessControl, something like:
login, accountID
userA, account123
userA, account456
userA, account798
userB, accountABC
userB, accountDEF
etc..
This info is used throughout the web application and determines the 'domain' of information the particular login has access to. For example there are many other tables that have the 'accountID' field and whenever a page pulls data from the table it only pulls data that the currently logged in user should be allowed to see, based on that tblAccountAccessControl data.
The security question:
Do I need to query the database every time I need to get this list of allowed accountID's? I was about to use a plain old query string to pass a particular accountID to another page but quickly caught myself as I realized that would be a major security flaw (the receiving page was going to use that accountID to grab info from the database, and there would be nothing preventing a user from simply typing in a url manually to get data from an accountID they are not supposed to be allowed to view). So I then thought I'll just store the list of accountID's in a session state variable so they will be carried with the user throughout the session.
But then I remembered there are tools out there that allow you to easily intercept and modify asp.net viewstate information and I'm not sure if that would included session state variables, but I'm guessing they would. Is there a way to create a secure query string? If I used session state would that session state information be exposed and modifyable by utilities out there? Am I just stuck having to query the database every time I need this info to assure security? What about encrypting it and then storing in session state variable (just thought of that one)?
In web development, when session state is enabled, a session id is stored in cookie(in cookieless mode, query string will be used instead). In asp.net, the session id is encrypted automatically. There are plenty of topics on the internet regarding how you should encrypt your cookie, including session id. I can understand why you want to encrypt private info such as DOB, but any private info should not be stored in cookie at first place. So for other cookie values such as session id, what is the purpose encryption? Does it add security at all? no matter how you secure it, it will be sent back to server for decryption.
Be be more specific, For authentication purpose, turn off session, i don't want to deal with session time out any more store some sort of id value in the cookie, on the server side, check if the id value exists and matches, if it is, authenticate user. let the cookie value expire when browser session is ended, this way. vs Asp.net form authentication mechanism (it relies on session or session id, i think) does latter one offer better security?
We have a local homepage, which connect to our production security environment. When I need to test my site in test environment, I need to get fresh cookie (not the one that was sent to me via production security service, when I opened IE with local homepage).
I am getting fresh cookie fine in Mozilla; but in IE I always have production cookie, and this disables my testing. What I should fix here?
I am trying to achieve a SSO implimentation across my websites so i am using the machine key attribute to do so.now the trouble starts here as the website the user logs in is on the .net 1.1 framework and the website it it navigating to is .net 4.0.I have share the same machine-key across both the application . It works fine in my testing environment but as i move to the deployment server ,it just dosent work !So what i could do is read this article on MSDN :
http://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx
this tells me to add a domin attribute like below
<forms loginUrl="~Login.aspx" defaultUrl="Default.aspx" protection="All" timeout="80" name=".ASPXAuth" domain="asbc.com"/>
but this thing just dosent work on the 1.1 application and throws an error Unrecognized attribute 'domain'.
Where do i get to mention the domin in my 1.1 application.?
Can i still store value in session if in browser cookie is disabled?
View 2 RepliesIs it possible to get session cookie name in medium trust level? The code below works in full trust, but throws a security exception in medium trust level.
string sessionCookieName = ((SessionStateSection)WebConfigurationManager.GetSection("system.web/sessionState")).CookieName;
I'm using ASP.NET Session State to keep track of logged in users on my site. However, one problem I'm running into is that by default ASP.NET session cookies are set to expire when the browser closes. I've tried setting my own ASP.NET_SessionId cookie and modifying the cookie's expiry using something similar to the following code:
Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddMonths(1);
None of these approaches work, they all set a second cookie with the same name. Is there a way of changing the session cookie's expiry?
I would like to change ASP.NET session cookie name "ASP.NET_Sessionid" to some other name. I specified <sessionState cookieName="MyCookieName" />. When I use fiddler to view response header, I can see "MyCookieName" with random generated number under cookie section, however, ASP.NET_SessionId also exist there.
View 2 RepliesI have a .net webapplication with the following domains:
www.domain.com
sub.domain.com
files.domain.com
When a user is logged on to domain.com or sub.domain.com, I'd like them to share session state (i.e. be logged into both domains at once). This is possible to do by setting the domain on the session coookie to be ".domain.com". However, my problem is that the domain "files.domain.com" should not have session state due to security issues (xss attacks from user-made files hosted on that domain is an issue).
Is it possible in ASP.NET to use the same asp.net session id for these two domains, but not the third one?