Session Hijacking Prevention
Is it possible to steal a cookie and authenticate as an administrator?
Yes it is possible, if the Forms Auth cookie is not encrypted, someone could hack our cookie to give themselves elevated privileges or if SSL is set to not required, copy some other person's cookie.
Encrypting the session value will have zero effect. The session cookie is already an arbitrary value, encrypting it will just generate another arbitrary value that can be sniffed.
However, there are steps we can take to mitigate these risks:
On the system.web/authentication/forms element:
- requireSSL=true. This requires that the cookie only be transmitted over SSL
- slidingExpiration=false. When true, an expired ticket can be reactivated.
- cookieless=false. Do not use cookieless sessions in an environment where are you trying to enforce security.
- enableCrossAppRedirects=false. When false, processing of cookies across apps is not allowed.
- protection=all. Encrypts and hashes the Forms Auth cookie using the machine key specified in the machine.config or web.config. This feature would stop someone from hacking their own cookie as this setting tells the system to generate a signature of the cookie and on each authentication request, compare the signature with the passed cookie.
Note: If you so wanted, you could add a small bit of protection by putting some sort of authentication information in Session such as a hash of the user’s username (Never put the username in plain text or their password). This would require the attacker to steal both the Session cookie and the Forms Auth cookie.
Currently in portal cookie expiration is 1 year for users who have checked “Save Your User Name on This Computer” this has to be set to shorter period.
Links referred are below: