Prevent Authentication Disasters

asp:HotTip

LANGUAGES:C#

TECHNOLOGIES:Forms Authentication

Prevent Authentication Disasters

Persistent authentication cookies can last for years,opening a huge window for replay attacks.

By Jeff Prosise

ASP.NET's forms authentication module simplifies thedevelopment of Web applications that use forms logins to secure resources. Butused unmodified, forms authentication is an accident waiting to happen.Consider the following statements, typical of those found in formsauthentication examples, which authenticate a user; send them to the page theyrequested before ASP.NET redirected them to the login page; and issue apersistent authentication cookie that prevents them from having to log in againand again:

if (AuthenticateUser (name, password))

    FormsAuthentication.RedirectFromLoginPage(name, true);

Unfortunately, a persistent authentication cookie issuedby FormsAuthentication.RedirectFromLoginPage remains valid for - get this - 50years! To shorten the cookie's lifetime and reduce the window of opportunityfor replay attacks, issue the cookie this way instead:

if (AuthenticateUser (name, password)) {

    string url =FormsAuthentication.GetRedirectUrl (name, true);

    FormsAuthentication.SetAuthCookie (name, true);

    HttpCookie cookie =

         Response.Cookies[FormsAuthentication.FormsCookieName];

    // Set the cookie toexpire 7 days from now

    cookie.Expires =DateTime.Now + new TimeSpan (7, 0, 0, 0);

    Response.Redirect(url);

}

This modified approach adds the authentication cookie tothe HTTP response and sets its expiration date to seven days hence, thenmanually redirects to the page the user requested originally. The resultingauthentication cookie is good for seven days instead of 50 years - a measureyour IT staff surely will appreciate!

Jeff Prosise is theauthor of several programming books, including ProgrammingMicrosoft .NET(Microsoft Press). He also is a co-founder of Wintellect (http://www.wintellect.com), a softwareconsulting and education firm that specializes in .NET.