0
Is there any way to protect that cookie that is evident when logging into a website that uses Asp.net Membership ? I know that just copy it to "clone" the login session and this way is very vulnerable mainly to attacks man in the Middle .
The only solution is to use SSL ?
1
For any Cookie you need to create, regardless of language/platform, we strongly recommend setting the flag Httponly that helps you prevent manipulations of your Cookie through Javascript, and consequently XSS attacks, beyond the flag Secure, that the W3C standardized as a way to avoid accepting requests with Cookies through unsafe channels.
In fact, if someone can somehow generate the exact content of your Authentication Cookie, they may well change the Cookie in the browser and use it. But we have to consider that Asp.Net itself already takes good care of the encryption of its Cookies by setting machineKey, which makes this practice very unlikely.
On the other hand, the user would not even need to generate the content if the theft of this information is facilitated. With the Httponly flag, you prevent malicious Javascript scripts from being able to read your Cookies, and the Secure flag ensures that the application will only understand the content if it is travelling via SSL, which is mandatory nowadays to avoid pure text information traffic, that could easily be read by man-in-the-Middle attacks.
In Asp.Net, settings can be made through settings in Web.config with the element httpCookies:
<httpCookies httpOnlyCookies="true" requireSSL="true" />
For any Cookie, you can set programmatically:
HttpCookie myCookie = new HttpCookie("myCookie");
myCookie.HttpOnly = true;
Response.AppendCookie(myCookie);
Specifically in the case of Authentication Cookie, it is possible to force the Secure flag on the element Forms:
<authentication mode="Forms">
<forms cookieless="UseCookies" requireSSL="true" />
</authentication>
Browser other questions tagged asp.net asp.net-membership
You are not signed in. Login or sign up in order to post.
Diego, I tried using requireSSL and I received the following error " The app is set to issue secure cookies. These cookies require the browser to issue the SSL request (https protocol). However, the current request is not about SSL. ", you know how to implement SSL ?
– John Diego
@Diegovaladares you need to hire an SSL certificate and configure it on your web server so that it can serve the answers as https. For development environments, you can install your own certificates just to test your installation. In IIS there is a specific configuration for self-signed
– Diego Jeronymo