How To Decrypt Public ASPXAUTH Cookie And Security
Mar 18, 2010
Due to a bug in Flash, I have to use the ASPXAuth cookie to log a user in on a page that a flash upload script calls after upload. See this page for more information: [URL]
I have to make the ASPXAUTH string "public" in the sense that it will be in the HTML of the page. My question is, how secure is this?
I understand that anyone that can get to the string in the HTML can probably get to it from the cookie just as easily, but let's say someone does have this ASPXAUTH string. Is it possible that they can login as another user using this cookie? Would they be able to decrypt it?
Without reading the whole text below, since this is on the ASP.Net side ... basically I think I need to know if there is a way to reduce the size of the forms authentication cookie. When using a DotNet 2.0 website, the ASPXAUTH cookie is about 232 bytes ... when using the same source code but upgraded to DotNet 4.0. the cookie is approximately 264 bytes, setting the ticketCompatabilityMode does not reduce the size since I think the default setting is Framework20. I length of the cookie, including the its' name can not be larger than 256 bytes in order to use it with the "Client Application Services".
I only did a cursory search of the asp.net forums, but will dilligently look for an existing solution.
----- BACKGROUND AND RESEARCH -----
I have been using all three features of client application services (authentication, profiles, and roles) in my windows app (DotNet 3.5 framework) for almost two years now. Up until now, I have not had any problems. This week I hit a brick wall and am pretty stumped with two seperate but related issues.
Issues:
In development, we decided to upgrade our websites/services to DotNet 4.0. All applications upgraded successfully. However we are unable to log into our application using Client Application services. No matter what user we use, Membership.ValidateUser returns false. Since we know the username and passwords, we thought this was strange. When debugging the application, we found that Membership.ValidateUser was throwing an InvalidOperationException (see below for complete exception) stating that the ASPXAUTH property was too long, longer that the schema created in the SQL/CE database. (See below for things tried).
In production .. A user all of the sudden could no longer gain access to the application. Upon inspection, his ASPXAUTH cookie was 264 characters long (9 characters longer than the schemas nvarchar(256)). Even though the user was being authenticated on the "server side", and the JSON query returned "{"d":true}", Membership.ValidateUser returned false. Again, as in the case above, the actual error was ...
I am assuming I am missing something very simple or that I overlooked a settings. In development, this is not a huge issue as I can release the Dotnet 4.0 websites when I am ready. But now that this has happened to a client on a production system, it is very worrisome.
I have a curl script that logs in to two other websites to submit forms from behind the login successfully. However, I've recently tried to use a variation of this script for a third website. It works as far as returning the first page after login but then it treats any further cURL calls as if I haven't logged in. I discovered (well I think) that it's to do with the .ASPXAUTH cookie not being set. I do have a cookiefile and cookiejar setup in my cURL code and it catches the .ASP.NET_SessionID successfully, but not the ASPXAUTH cookie.
I noticed that I can see the .ASPXAUTH cookie value in the headers when I watch "Live HTTP headers" but I can't get my cURL script to return the header with this set-cookie very easily. It seems that the cookie is set on a 302 after login and cURL is not handling this correctly. So I turned off CURLOPT_FOLLOWLOCATION and was trying to handle the redirect myself but I still can't get it right (the server returns a really strange redirect url and I don't think I'm doing this part right)
I'm using ASP authentication and the integrated webservice.
The user logins in with Forms authentication on a login page.
To log out, I call the authentication webservice from Silverlight and call logout.
Everything worked OK but now sometimes IE gets crazy and doesn't log out the user anymore.
I used Fiddler and it turns out that the authentication service returns a SetCookie to clear the ASPXAUTH cookie but on the next call IE still has the cookie set.
So off course because the cookie is there the user is authenticated and logs right back in rather than being directed to the login page.
I checked and didn't see any other description of the issue.
I can't reproduce it and my colleagues that have a misbehaving IE have it working fine on one environment and not on the other (one has the issue for DEV and another has the issue for the PreProd server).
I thought the .ASPXAUTH was for user authentication? Can anyone confirm if this cookie is indeed a security risk and/or contains session information? Is it even suppose to be used or is it some debug thing?
My website uses forms auth and I am trying to create a load balancer (hardware) rule which will keep track of sessions based on the aspxauth cookie. Is it safe assume that the value of the cookie is unique?
I have an asp.net page where I have used FormsAuthentication.HashPasswordForStoringInConfigFile. Encrypted password is saved in database. I have created a forgotPassword page. Where I need to send user his password. How can I decrypt it and send it to user. if SHA1 can not be decryoted what other option should I use to encrypt the passwords?
I'm teaching myself ASP.net. I'm creating an application that needs to store sensitive data. So, I found the following Blog to encrypt and decrypt data.
[URL]
I'm sure it's my app, but I wanted to make sure I'm not missing anything obvious. For some reason, my app and Encryptor only works when I pass < then 7 characters. If a pass 8, it doesn't commit to the database. If I remove Encryptor, the app will store
Ok this one might be a bit tough to figure out, but each day when users open their application the following error is generated and they can not enter the application: "Failed to decrypt using provider 'EncryptionProvider'. Error message from the provider: The RSA key container could not be opened." Guess what fixes it... I have to open the application 1 time and then all of the users can being to open the application. This is not an issue with the encryption/decryption of the .config never having worked; it works just fine - but not all of the time. It sounds like a permissions issue to me, like me opening the app grants access to the key file for a time period, and the next day the issue starts all over again. Here is what I have already done (actually when I set up encryption originally), as the many, many posts with this issue are resolved with, but none have worked:
- aspnet_regiis -pa "MyWebKeys" "NT AuthorityNETWORK SERVICE" - aspnet_regiis -pa "MyWebKeys" "ASPNET" - Gave ASPNET account read access to "C:Documents and SettingsAll UsersApplication DataMicrosoftCryptoRSAMachineKeys" folder - Gave NETWORK SERVICE account read access to "C:Documents and SettingsAll UsersApplication DataMicrosoftCryptoRSAMachineKeys" folder
I did not do the following, since I am not using the deafult machinekeys, but rather the imported "MyWebKeys" container
"MyWebKeys" are an imported key container on the server, that upon importing reside in the default "C:Documents and SettingsAll UsersApplication DataMicrosoftCryptoRSAMachineKeys" directory. So it appears I have covered everything, right? What am I missing? Do I have to add individual users or groups with the pa command that use my application to allow access to the container? Remember the encryption/decryption does work 95% of the time. It just seems that each day in the morning, I must open the app once prior to the users being able to open the application, which tells me it is a permissions issue because I am an Admin on the server and they are not, but I thought all of this runs under the NETWORK SERVICE account anyways?)
So i dont need to use Q and A for password retrevial ( I use email password recovery), but I would like to use Q and A as and Admin, just as that higher level of secuirty.How can I turn off the encryption of the answer of the Q and A, or decrypt it in a report or something ???
I am working on encryption and decryption and able to encrypt and decrypt a Text file but not able to do the same for MS Word or any other file other than Text file. I am using a below code.
When i try to encrypt it goes fine.. but when i right after try to decrypt it i get an:"Length of the data to decrypt is invalid" error... the error occours when i try to run the code FlushFinalBlock();here is my code:
I have a HyperLink column in a gridview that when clicked should navigate the user to another page. I pass parameters to the page using a querystring. i want to encrypte the querystring when it passed to another page
am working on a new site and i want to do tothings for security1. I want to encrypt the password of the user who register on my site and also decrypt it to enable him in login again.2. I will make an online exams so I want to disable the user functions to hack the exams materials such as (print page, print screen , or even selecting data manual by mouse )I googled a lot about this matter I found java scripts to make this but what about the users who will disable scripts on their browsers. So I want to do this with C# Code.
I have an web application that encrypts data using a public and sent it to another web application. Which will then decrypt the data using a the user private key. My question is, since but the Private and Public key are generated in the first application. how does the other application get the private?
I'm building a complex, public web service in WCF that send email to a specific address, similar to a contact form but with some features.With jQuery I get the data from the textbox and with Ajax and json I send to the web service the strings to proceed at the send.
Now, is there a good way to make it secure?
I mean.. the service is public so someone can have access to it and starting to spam on this address. Can I restrict the users to use the web service only from the correct web site?
I have developed An Inventory Management System in ASP.Net . The application is hosted now ... From manager to data entry operator every1 z having seperate login , roles and limitation to access website ... From Our office every1 is accessing the application and working on it. My question is even they can access the apllication from public PC (Browseing Center) ?? coz they knew the password. Am i rite. Now, I need to restrict my application access in public PC (Browseing Center)? Can i limit accessing of my website application only in office not in public PC (Browseing Center)? can i allow certain IP to access my website application?
