McAfee and Microsoft Warn About ASP.NET Forms Authentication

McAfee and Microsoft published articles that helps developers understand how to better protect against session hijacking in applications based on ASP.NET.

ITPro Today

September 5, 2005

1 Min Read
ITPro Today logo in a gray background | ITPro Today

McAfee published a whitepaper that helps developers understand how to better protect against replay attacks in applications based on ASP.NET. Replay attacks are possible when an unauthorized user gains access to another user's cookie, which can lead to session hijacking. As long as the cookie has not expired such attacks might be possible unless specific preventative measures are taken.

Microsoft also issued an article about the problem, which pertains to forms authentication. Both Microsoft and McAfee recommend a series of defenses to help build a stronger method of protection. Those include the use of SSL, absolute expiration dates, "HttpOnly" cookies, and storing user information in the MembershipUser object of the Membership class.

HttpOnly cookies are a feature only supported by Internet Explorer 6 Service Pack 1. The feature prevents scripts from accessing cookies. The Membership class is a feature only available in ASP.NET 2.0.

The problem with ASP.NET form authentication was originally discovered by  Rudolph Araujo, senior software security consultant with Foundstone Professional Services, which is a division of McAfee.

Read more about:

Microsoft
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like