Session Hijacking Prevention


 Is it possible to steal a cookie and authenticate as an administrator?

Yes it is possible, if the Forms Auth cookie is not encrypted, someone could hack our cookie to give themselves elevated privileges or if SSL is set to not required, copy some other person's cookie.
Encrypting the session value will have zero effect. The session cookie is already an arbitrary value, encrypting it will just generate another arbitrary value that can be sniffed.
 However, there are steps we can take to mitigate these risks:
On the system.web/authentication/forms element:
  1. requireSSL=true. This requires that the cookie only be transmitted over SSL
  2. slidingExpiration=false. When true, an expired ticket can be reactivated.
  3. cookieless=false. Do not use cookieless sessions in an environment where are you trying to enforce security.
  4. enableCrossAppRedirects=false. When false, processing of cookies across apps is not allowed.
  5. protection=all. Encrypts and hashes the Forms Auth cookie using the machine key specified in the machine.config or web.config. This feature would stop someone from hacking their own cookie as this setting tells the system to generate a signature of the cookie and on each authentication request, compare the signature with the passed cookie.
Note: If you so wanted, you could add a small bit of protection by putting some sort of authentication information in Session such as a hash of the user’s username (Never put the username in plain text or their password). This would require the attacker to steal both the Session cookie and the Forms Auth cookie.
Currently in portal cookie expiration is 1 year for users who have checked “Save Your User Name on This Computer” this has to be set to shorter period.

Links referred are below:

Comments

Post a Comment

Popular posts from this blog

Database Server administration concepts for Architects/ Tech Leads/ Database developers

Most of us must have heard of Database replication/ mirroring but few of us would have tried to explore the details. This article explains about these concepts which would give you an overall understanding of Database server concepts which are used for large applications. What is Database Mirroring? Database mirroring is a primarily software solution for increasing database availability. It maintains two copies of a single database that must reside on different server instances of SQL Server Database Engine. What is Database Replication? It is a set of technology for copying and distributing data and database objects from one database to another and then synchronizing between databases to maintain consistency. Using replication, you can distribute data to different locations and to remote or mobile users over local and wide area networks, dial-up connections, wireless connections, and the Internet. Most of the development community think that above two mentioned questions
Read more

Shared Nothing Architecture (SN Architecture) and Sharding database

  SN Architecture : A shared  nothing architecture (SN) is a distributed computing approach in which each node is independent and self-sufficient, and there is no single point of contention required across the system.   This means no resources are shared between nodes (No shared memory, No shared file storage)   The nodes are able to work independently without depending on each other for any work.   Failure on one node affects only the users of that node, however other nodes continue to work without any disruption.   This approach is highly scalable since it  avoid  the existence of single bottleneck in the system. Shared nothing is recently become popular for web development due to its linear scalability. Google has been using it for long time.     In theory, A shared nothing system can scale almost infinitely simply by adding nodes in the form of inexpensive machines.   Sharding:   is  an  architectural approach that distributes a single logical database system into a cluster of mac
Read more