Is it possible to steal a cookie and authenticate as an administrator?
Yes it is possible, if the Forms Auth cookie is not
encrypted, someone could hack our cookie to give themselves elevated privileges
or if SSL is set to not required, copy some other person's cookie.
Encrypting the session value will have zero effect. The
session cookie is already an arbitrary value, encrypting it will just generate
another arbitrary value that can be sniffed.
However, there are
steps we can take to mitigate these risks:
On the system.web/authentication/forms element:
- requireSSL=true. This requires that the cookie only be transmitted over SSL
- slidingExpiration=false. When true, an expired ticket can be reactivated.
- cookieless=false. Do not use cookieless sessions in an environment where are you trying to enforce security.
- enableCrossAppRedirects=false. When false, processing of cookies across apps is not allowed.
- protection=all. Encrypts and hashes the Forms Auth cookie using the machine key specified in the machine.config or web.config. This feature would stop someone from hacking their own cookie as this setting tells the system to generate a signature of the cookie and on each authentication request, compare the signature with the passed cookie.
Note: If you so
wanted, you could add a small bit of protection by putting some sort of
authentication information in Session such as a hash of the user’s username
(Never put the username in plain text or their password). This would require
the attacker to steal both the Session cookie and the Forms Auth cookie.
Currently in portal cookie expiration is 1 year for users
who have checked “Save Your User Name on This Computer” this has to be set to
shorter period.
Links referred are below: