I have an ASP.NET MVC application. In this after user get Sign in .We set the a cookie for the user who logged in using FormsAuthentication.SetAuthCookie(userName, false).
In other page we get the Cookies using the FormsAuthentication.GetAuthCookie(userName]) .
This cookie values as string is then set in the
Response.Cookies["username"].Value = cookiesvalue
We have .aspx page in the same application that downloads silverlight application. Silverlight reads the cookies using the code
string[] cookies = HtmlPage.Document.Cookies.Split(';');
The problem is that once session expires in the application,silverlight cannot read the cookie value.
After the session expires we again set the cookies in headers using the
Response.Cookies["username"].Value = cookiesvalue
But still silverlight application cannot read this cookie .
Thanks in Advance
DNM
The authentication cookie (the one set with FormsAuthentication.SetAuthCookie(userName, false)) is a special cookie. It is encrypted using the machine key on the server and it can only be manipulated by the server. Silverlight executes on the client side which explains why you cannot decrypt the username stored inside this cookie.
Just imagine for a moment that you could read and modify the value of this cookie on the client side : this would mean that you could impersonate any user.
Related
I am working on a project which is based on asp.net mvc, jquery and web api.
Currently I am setting sessions which are being used to authenticate users.
When an ajax call to web api is made I check if the user is currently logged in then respond him with the data else with an error.
protected override bool IsAuthorized(System.Web.Http.Controllers.HttpActionContext actionContext)
{
if (SessionManager.IsUserLoggedIn == false)
{
return false;
}
return true;
}
The POCO I'm materializing from login stored procedure contains almost 10 GUID(UserGUID, DeptGUID etc) and int properties.
Now the problem is that I need to completely remove session from application and use cookies to do that authentication process. I've read some solution which propose by using web form authentication I should put all my properties in the cookie (can be encrypted) and send this authentication cookie within request header with every request to the sever. Although I am using GUIDs but some critical flags are in integer form. Will it be wise to put that information out there in client browser?
Also on front end scripts I am making some decisions based upon the values of the properties which are stored in cookies.
How to ensure that the cookie I am receiving has not been tampered with?
What will be the most efficient and secure way to implement cookie based authentication in my scenario (web api, asp.net mvc )
My question is different it's rather conceptual - As when a user login, session is created on server and it stores a unique id to client(browser) what if I copy that cryptographically signed cookie and any associate data from browser like token whatever app uses to recognize the machine, paste it or create it on another machine?
How would server recognize that? could someone Explain me as much you can? that would be a help
I tried finding the solution.
or how can I secure that? :)
As far as I know, only the user-identifying token in the Rails session cookie identifies the user. By sending that token (which happens automatically on each request), the server knows who you are. Anyone having that token will be treated by the server as if it were you. This is called Session hijacking.
There are a few things you can do to protect your user's cookies. First of all, secure your cookies by setting two flags:
secure tells the browser to send that cookie only over HTTPS, so it is protected against someone reading your traffic (and your cookie).
HttpOnly tells the browser to hide that cookie from Javascript, which improves protection against XSS (Cross Site Scripting). An attacker may find a way to inject some malicious Javascript, but the browser won't give it your session cookie.
On setting these flags, see the Rails API. For custom cookies it's basically:
cookies[:my_cookie] = { value: '...', secure: true, httponly: true}
For configuring the Rails session cookie, see this answer.
Recently, I have written a middleware that sets both flags automatically to any cookie in the application. It is called safe_cookies and we're using it in order to protect our applications.
I create and safe a Browser Windows GUID in the sessionstorage on client side via javascript. So it stays alive until the tab is closed.
Now I want to pass this information on every request from this specific browser window to the server side so I can access it on any time without passing it with the model.
I use ASP.NET MVC. So there is no ViewState available if I'm right.
I thought about adding and accessing a custom field in the HTTP Header or something similar. I try to find something to accomblish that. So I need some ideas.
Thank you
(Sorry. English is not my first language)
Once you set the Cookies, it shall be pass with every HTTP request to the server. And in the Controller you can access Cookie via
HttpCookie cookie = HttpContext.Request.Cookies.Get("cookie_name");
Where are the user parameters stored on a lower level? The filter parameters for example. I don't think it's the cookies so where is it? And is it secure? as in can a user modify them in some way and hack his way into the website?
By default your session files are stored in session.savepath folder, so it's server side.
The link between this session file and the user cookie is the session_id stored inside the session cookie.
maybe you should read : PHP Session Security
I have 2 website on my IIS7, I can put the same domain for both of them, I want some cookies of both applications to be shared between them, so than I can create the cookie from one of them and read it from the other one, is that possible? do I need any custom configurations to do that?
note: My websites, 1 is asp.net forms website and the other is MVC.
When you create the cookie specify the domain:
var cookie = new HttpCookie("foo", "bar")
{
// indicates that only server side scripts can read this cookie
HttpOnly = true,
// indicates that the cookie will be available throughout the entire domain
Domain = "example.com"
};
Response.AppendCookie(cookie);
Now on the other application you will be able to access this cookie (assuming of course it is running on the same domain):
var cookie = Request.Cookies["foo"];
Cookies are sent by the client to any URL in the cookie's domain (and optional path).
They have nothing to do with the server-side application; as long as the application is in the cookie's domain name and path, it will receive all cookies.
If both applications are in top level, there is no need for any custom configuration but if any of the application is in sub domain, than you have properly set cookie so that sub-domains can access that. In that case, following web.config modification is needed.
<httpCookies domain=".yourdomain.com" />
yes if there are appending cookie not only add
like: Response.AppendCookie(your cookie name)
Remember that if it is in asp.net web site then you can get cookie by
string a = Request.Cookies["Your Cookie Name"].Value
some thing like that