Important information on ASP.Net Forms Authentication:
http://visualstudiomagazine.com/articles/2010/09/14/aspnet-security-hack.aspx

This basically allows a user to determine the Machine Key used to encrypt the cookie on any site. This is apparently 100% reliable and can be used for any site within 30 - 50 minutes. This would allow a user to create spoofed authentication cookies to assign administrator privileges.

The solution? Use one of the other Encryption mechanisms eg. Triple DES.



0 comments


Twitter Delicious Facebook Digg Stumbleupon Favorites More

    Subscribe