Using ASP.NET 2.0, with forms authentication.
Just for a test, I configured the roles cookie in web.config like this :
<roleManager enabled="true" cacheRolesInCookie="true" cookieName=".ASPXROLES" cookieTimeout="2"></roleManager>
I wanted to see what would happen when the cached role cookie expired.
Using Fiddler, after 2 minutes had elapsed, I could see that the raw value of the role cookie had changed.
I was expecting that on expiry, that ASP.NET would simply re-read the roles information from the database, and repopulate the cookie with the same value. So my question is, why would the raw value of the cookie change after expiry ? The cookie value is not human-readable (base 64 encoded and/or encrypted ?), so I can't tell if the information in it is the same, although the application still seems to work fine.
EDIT :
It looks like each time the roles are encrypted and cached in the cookie, it gets a different raw value.
e.g. if you run the following code :
RolePrincipal rp = (RolePrincipal) User;
string str = rp.ToEncryptedTicket();
Label1.Text = str;
You get a different value each time.
So the behavior seems normal.
Well the aspxroles cookie only pertains to role queries on the user. Unless you're doing things with the roles that would cause it to function differently (web.config auth?) then you're not going to see anything by expiring the cookie.
Can you share your web.config and basic pages that you're using to test this?
Have you tried that particular configuration to see what changes after the expiration?
<location path="img/logo.png">
<system.web>
<authorization>
<deny users="?"/>
<allow roles="CanSeeLogo"/>
</authorization>
</system.web>
</location>
Based on the question edit:
In my web.config under <configuration><system.web> I have this key:
<machineKey decryption="AES" decryptionKey="{64bits random hex}" validation="SHA1" validationKey="{128 bits random hex}"/>
I'm curious if you set that "manually" if you'll have a constantly changing encrypted string. Also, this is set by default in your C:\Windows\Microsoft.Net\Framework\etc folders, but you can redefine it (obviously) in your web.config to override it per application. This also allows you to share the same cookie cross-app within your domain.
Link to generate random hex strings
https://www.grc.com/passwords.htm
concat the first result from two page refreshes for the second one. Removing the web.config key later doesn't impact your app negatively (of course it wouldn't)
Related
I downloaded one sample of asp.net.
And when I ran, I see that the link like that:
http://localhost/(S(1uld2ekua0uuilxlw15zguus))/login.aspx
Can you tell me where we have the string "(S(1uld2ekua0uuilxlw15zguus))"? I checked in the web.config, global.cs but I still don't know where we configure it.
I'm very appriciated for your help.
Thanks.
The string is session id.
What is session id?
Session Id is a unique ID generated by asp.net, to identify the current session.
You are seeing it in a link, because
in web.config file, you'll have this.
<system.web>
<sessionState cookieless="true"></sessionState>
<system.web>
If you don't need that in the url, you can just set cookieless=false
So, it becomes:
<system.web>
<sessionState cookieless="false"></sessionState>
<system.web>
Now, the session id will be stored in a cookie.
During security review of our asp.net web application we got reported that some input fields doesn't restrict length of user input on server side. There is said in execution report that this vulnerability can be used to consume large amount of resources in the server or database which can cause Denial of Service attacks.
I would like to ask what options are here to fix this. Of course we can implement the validation on web server side for every field and e.g. throw some exception and reject if input is longer then some predefined value. But I am curious if there is some more other ways how to do it. Maybe some configuration in web.config or on IIS server level, some global handler etc.
Check out maxRequestLength setting in web.config.
Specifies the limit for the input stream buffering threshold, in KB. This limit can be used to prevent denial of service attacks that are caused, for example, by users posting large files to the server.
The default is 4096 (4 MB).
<configuration>
<system.web>
<httpRuntime maxRequestLength="1024" />
</system.web>
</configuration>
This would be a better solution than restricting each individual field as it is protecting your application as a whole as it sounds like they haven't found any specific inputs that are vulnerable.
If you want this to only apply to certain sections of your application you could add an override using the <location> element:
<location path="Attachments/Upload">
<system.web>
<httpRuntime maxRequestLength="20480" />
</system.web>
</location>
I use Form Based Authentication in my site
In my login page I have:
FormsAuthentication.SetAuthCookie(user.userName, true)
When I want to check if the user is authenticated I do:
HttpContext.Current.User.Identity.IsAuthenticated
I'm not using Asp.net Membership, instead i use my on SQL-DB verification
do i have to use Asp.net Membership ?
This is working for me most of the times
The problem is that sometimes after 5 hours or something after 30 hours
The Application pool gets restarted for some reason (I’m on a shared server)
And after that the “User.Identity.IsAuthenticated” returns with false, every time until the user logs in again.
This is strange to me because I can see that the client still have the persistent authCookie so why the user is not authenticated ?
My Web.Config reference:
<authentication mode="Forms">
<forms
name="AuthCookie"
loginUrl="~/mySite/ManageLogin.aspx"
timeout="5256000"/>
</authentication>
Any help will be appreciated.
My site www.mentallica.co.il
This may be due to the automatic generation of the machinekey at the application start. You can prevent that by specifying a machinekey for your app in your web.config:
<machineKey
validationKey="410E4E2B06BE457709F2D8C72BB02957A3B4E8BA327F3A6103696857AD3A88598D454489B9D4CAAFC2D5E35E8795B311EE2E94DAA485FD64D7184272A4AE4D8B"
decryptionKey="EFAFA0917D0D8F137F05B26AE053397C48D34DE688E73483D15C8EDAF0D6FD4F"
validation="SHA1"
decryption="AES" />
You shouldn't use this one - you may create your own easily at http://aspnetresources.com/tools/machineKey .
More information about machinekeys: http://msdn.microsoft.com/en-us/library/ff649308.aspx
My site allows anonymous users.
I saw that under heavy load anonymous users get sometimes profile values from other users.
I first delete my cookies and get a valid unique value in the cookie value .ASPXANONYMOUS. After a couple of requests I get a new value for .ASPXANONYMOUS which is already used by another user. I see in my loggs that there are always a couple of users who share the same value in .ASPXANONYMOUS.
I can see in the my logs that 2 or more users realy get the same cookievalue for .ASPXANONYMOUS even if they have different IP.
Here is the htttp traffic. In the second image the changing cookie is shown (You have to display the image full size do be able to read the log):
One of the many requests that work ok:
alt text http://img413.imageshack.us/img413/2711/log1.gif
Then there is this one request that changes the cookie
alt text http://img704.imageshack.us/img704/8175/log2.gif
Then the new cookie is used
alt text http://img704.imageshack.us/img704/3818/log3.gif
Just to be safe I removed dependency injection.
I dont use OutputCaching.
My web.config has this setting for authentication:
<anonymousIdentification enabled="true" cookieless="UseCookies" cookieName=".ASPXANONYMOUS"
cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" />
<authentication mode="Forms">
<forms loginUrl="~/de/Account/Login" />
</authentication>
Does anybody have an idea what else I could log or what I should have a look at?
UPDATE
I saw now that the http-traffic I showed is perfectly valid. A changing value in .ASPXANONYMOUS is something that happens because the cookie gets refreshed. The value contains AnonymousID and a Timestamp.
This does not lead to users having the same value in .ASPXANONYMOUS under normal conditions.
The problem realy is, that whenever the cokies get set from the AnonymousIdentificationModule, then there is a chance that a couple of user get this cookie. Setting a cookie in my application doesnt have this strange sideefect.
I had the same problem and solution was to turn off output caching for the responses where you call SetCookie. Below are several links describing this
Don’t let your cookie being cached by accident!
ASP.NET Session Mix-up using StateServer (SCARY!)
Integrated Pipeline and the kernel-mode cache
Are you declaring any static variables in your code at all? I had this similar issue, and narrowed it down to that; at least for my situation.
If I put something like this in my ASP.NET web application's web.config:
<authorization>
<allow roles="MyUsers" />
<deny users="*" />
</authorization>
and then have an ActiveDirectory group SpecialGroup that is inside MyUsers, will a member of SpecialGroup be allowed to access my application?
Yes, it will. When you log on, a security token is constructed containing details of all¹ of the groups you're a member of, and that includes all nested groups. That token is what's used to determine access. This is why you have to log off and on when you're added to a group.
But just to be sure, I tested it on on of my sites and it worked as described.
¹ actually, it's possible to be in so many groups that they won't all fit in the token (which has a limited size) in which case, your token contains the first 'n' groups (which depends on the order returned by the domain controller, so you can see some odd behaviour).