Important information on ASP.Net Forms Authentication:
http://visualstudiomagazine.com/articles/2010/09/14/aspnet-security-hack.aspx
This basically allows a user to determine the Machine Key used to encrypt the cookie on any site. This is apparently 100% reliable and can be used for any site within 30 - 50 minutes. This would allow a user to create spoofed authentication cookies to assign administrator privileges.
The solution? Use one of the other Encryption mechanisms eg. Triple DES.
http://visualstudiomagazine.com/articles/2010/09/14/aspnet-security-hack.aspx
This basically allows a user to determine the Machine Key used to encrypt the cookie on any site. This is apparently 100% reliable and can be used for any site within 30 - 50 minutes. This would allow a user to create spoofed authentication cookies to assign administrator privileges.
The solution? Use one of the other Encryption mechanisms eg. Triple DES.
0 comments