Forms Authentication Cookies
The FormsAuthentication class
creates the authentication cookie automatically when the FormsAuthentication.SetAuthCookie
or FormsAuthentication.RedirectFromLoginPage methods are called.
The following properties are
included in a typical forms authentication cookie:
·
Name. This property specifies the name
of the cookie.
·
Value. This property specifies value of
the cookie.
In a typical forms authentication
cookie, the value contains a string representation of the encrypted and signed FormsAuthenticationTicket
object. The cookie contains the following properties:
·
Expires. This property specifies the
expiration date and time for the cookie. Forms authentication only sets this
value if your code indicates that a persistent forms-authentication cookie
should be issued.
·
Domain. This property specifies the domain
with which the cookie is associated. The default value is null.
·
HasKeys. This property indicates whether
the cookie has subkeys.
·
HttpOnly. This property specifies whether
the cookie can be accessed by client script. In ASP.NET 2.0, this value is
always set to true. Internet Explorer 6 Service Pack 1
supports this cookie attribute, which prevents client-side script from
accessing the cookie from the document.cookie property. If an attempt is
made to access the cookie from client-side script, an empty string is returned.
The cookie is still sent to the server whenever the user browses to a Web site
in the current domain.
Note Web browsers that
do not support the HttpOnly cookie attribute either ignore the cookie or
ignore the attribute, which means that the session is still subject to
cross-site scripting attacks.
·
Path. This property specifies the
virtual path for the cookie. The default value is "/", indicating
root directory.
·
Secure. This property specifies whether
the cookie should only be transmitted over an HTTPS connection. The Secure
property should be set to true so that the cookie is protected by SSL
encryption.
·
Version. This property specifies the
version number of the cookie.
Creating the Forms Authentication
Cookie
The forms authentication cookie is
created by the FormsAuthentication class as follows. Once the user is
validated, the FormsAuthentication class internally creates a FormsAuthenticationTicket
object by specifying the cookie name; the version of the cookie; the directory
path; the issue date of the cookie; the expiration date of the cookie; whether
the cookie should be persisted; and, optionally, user-defined data.
FormsAuthenticationTicket ticket = new
FormsAuthenticationTicket(1,
"userName",
DateTime.Now,
DateTime.Now.AddMinutes(30), // value of time out property
false, // Value of
IsPersistent property
String.Empty,
FormsAuthentication.FormsCookiePath);
Next, forms authentication uses the Encrypt
method for encrypting and signing the forms authentication ticket, if the protection
attribute of the forms element is set to All or Encryption.
string encryptedTicket = FormsAuthentication.Encrypt(ticket);
The following text shows the process
used when the protection attribute is set to All:
·
Create
a serialized forms authentication ticket.
A byte array representation of the ticket is created.
·
Sign
the forms authentication ticket.
The message authentication code (MAC) value for the byte array is computed by
using the algorithm and key specified by the validation and validationKey
attributes of the machineKey element. By default, the SHA1 algorithm is
used.
·
Encrypt
forms authentication ticket.
The second byte array that has been created is encrypted by using the Encrypt
method of the FormsAuthentication class. The Encrypt
method internally uses the algorithm and key specified by the
decryption and decryptionKey attributes on the machineKey
element. ASP.NET version 1.1 uses the 3DES algorithm by default. ASP.NET
version 2.0 uses the Rinjdael (AES) algorithm by default.
·
Create
HTTP cookie or query string as appropriate. The encrypted authentication ticket is then added to an HttpCookie
object or query string if forms authentication is configured for cookieless
authentication. The cookie object is created using the following code:
HttpCookie authCookie = new HttpCookie(
FormsAuthentication.FormsCookieName,
encryptedTicket);
·
Set
forms authentication cookie as secure.
If the forms authentication ticket is configured to use SSL, the HttpCookie.
Secure property is set to true. This instructs browsers to only send
the cookie over HTTPS connections.
authCookie.Secure = true;
·
Set
the HttpOnly bit. In
ASP.NET 2.0, this bit is always set.
·
Set
appropriate cookie attributes.
If needed, set the path, domain and expires attributes of
the cookie.
·
Add
the cookie to the cookie collection.
The authentication cookie is added to the cookie collection to be returned to
the client browser.
Response.Cookies.Add(authCookie);
Each time a subsequent request is
received after authentication, the FormsAuthenticationModule class
retrieves the authentication ticket from the authentication cookie, decrypts
it, computes the hash value, and compares the MAC value to help ensure that the
cookie has not been tampered with. Finally, the expiration time contained
inside of the forms authentication ticket is verified.
Note ASP.NET does not
depend on the expiration date of the cookie because this date could be easily
forged.
No comments:
Post a Comment