473,387 Members | 1,603 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp.net > questions > how to expire an authenticatoin ticket manually

Join Bytes to post your question to a community of 473,387 software developers and data experts.

How to Expire an Authenticatoin Ticket Manually

Ali
Our security people have been able to copy and use the FormsAuthentication
cookie. Our Authetication cookie is based on an encrypted ticket and we use
FormsAuthentication.SignOut() when users loggout or kill their session, but
apparently the secure ticket does not get removed from the server by
FormsAuthetication.SignOut().

We have been able to time-out the ticket on the server, but we need to be
able to remove the ticket at any time.

This is our logout procedure:

FormsAuthetication.SignOut()
Session.Abandon()
Response.Redirect("Autheticate.aspx")

Thanks
Nov 18 '05 #1
7 1642
Maybe this helps:
RedirectFromLoginPage([some usersname], booleanvalue)

When the booleanvalue is set to true, a persistant cookie will be created on
the client.

I guess you should set it to false.

"Ali" <el********@hotmail.com> schreef in bericht
news:#R**************@TK2MSFTNGP09.phx.gbl...
Our security people have been able to copy and use the FormsAuthentication
cookie. Our Authetication cookie is based on an encrypted ticket and we use FormsAuthentication.SignOut() when users loggout or kill their session, but apparently the secure ticket does not get removed from the server by
FormsAuthetication.SignOut().

We have been able to time-out the ticket on the server, but we need to be
able to remove the ticket at any time.

This is our logout procedure:

FormsAuthetication.SignOut()
Session.Abandon()
Response.Redirect("Autheticate.aspx")

Thanks

Nov 18 '05 #2
Ali
The problem is not related to redirection. These guys are copying the
Authentication cookie and send it later on with a different request to the
web site and they can get in. I want to be able to remove the
Authentication ticket from the server where it is cached.

Thanks.

"Martin" <an****@mail2world.com> wrote in message
news:40***********************@news.wanadoo.nl...
Maybe this helps:
RedirectFromLoginPage([some usersname], booleanvalue)

When the booleanvalue is set to true, a persistant cookie will be created on the client.

I guess you should set it to false.

"Ali" <el********@hotmail.com> schreef in bericht
news:#R**************@TK2MSFTNGP09.phx.gbl...
Our security people have been able to copy and use the FormsAuthentication cookie. Our Authetication cookie is based on an encrypted ticket and we

use
FormsAuthentication.SignOut() when users loggout or kill their session,

but
apparently the secure ticket does not get removed from the server by
FormsAuthetication.SignOut().

We have been able to time-out the ticket on the server, but we need to be able to remove the ticket at any time.

This is our logout procedure:

FormsAuthetication.SignOut()
Session.Abandon()
Response.Redirect("Autheticate.aspx")

Thanks


Nov 18 '05 #3
how bout if you appended the session id and do a compare of session id from
the ticket and the current session id ?
(wouldn't work if the same browser window was used... ie if i remember
correctly asp.net recycles the session id and continues to use it for
current instance.)

or even if you manually opened the cookie and over wrote the ticket with
some junk ?

--
Regards,
HD
Once a Geek.... Always a Geek
"Ali" <el********@hotmail.com> wrote in message
news:ub**************@TK2MSFTNGP09.phx.gbl...
The problem is not related to redirection. These guys are copying the
Authentication cookie and send it later on with a different request to the
web site and they can get in. I want to be able to remove the
Authentication ticket from the server where it is cached.

Thanks.

"Martin" <an****@mail2world.com> wrote in message
news:40***********************@news.wanadoo.nl...
Maybe this helps:
RedirectFromLoginPage([some usersname], booleanvalue)

When the booleanvalue is set to true, a persistant cookie will be created

on
the client.

I guess you should set it to false.

"Ali" <el********@hotmail.com> schreef in bericht
news:#R**************@TK2MSFTNGP09.phx.gbl...
> Our security people have been able to copy and use the FormsAuthentication > cookie. Our Authetication cookie is based on an encrypted ticket and
> we

use
> FormsAuthentication.SignOut() when users loggout or kill their session,

but
> apparently the secure ticket does not get removed from the server by
> FormsAuthetication.SignOut().
>
> We have been able to time-out the ticket on the server, but we need to be > able to remove the ticket at any time.
>
> This is our logout procedure:
>
> FormsAuthetication.SignOut()
> Session.Abandon()
> Response.Redirect("Autheticate.aspx")
>
> Thanks
>
>



Nov 18 '05 #4
Ali
Good idea about binding the session id to the authentication cookie, but the
problem is that the session id can also be hijacked along the authentication
cookie.

Ali
"Hermit Dave" <he************@CAPS.AND.DOTS.hotmail.com> wrote in message
news:en**************@TK2MSFTNGP11.phx.gbl...
how bout if you appended the session id and do a compare of session id from the ticket and the current session id ?
(wouldn't work if the same browser window was used... ie if i remember
correctly asp.net recycles the session id and continues to use it for
current instance.)

or even if you manually opened the cookie and over wrote the ticket with
some junk ?

--
Regards,
HD
Once a Geek.... Always a Geek
"Ali" <el********@hotmail.com> wrote in message
news:ub**************@TK2MSFTNGP09.phx.gbl...
The problem is not related to redirection. These guys are copying the
Authentication cookie and send it later on with a different request to the web site and they can get in. I want to be able to remove the
Authentication ticket from the server where it is cached.

Thanks.

"Martin" <an****@mail2world.com> wrote in message
news:40***********************@news.wanadoo.nl...
Maybe this helps:
RedirectFromLoginPage([some usersname], booleanvalue)

When the booleanvalue is set to true, a persistant cookie will be created
on
the client.

I guess you should set it to false.

"Ali" <el********@hotmail.com> schreef in bericht
news:#R**************@TK2MSFTNGP09.phx.gbl...
> Our security people have been able to copy and use the

FormsAuthentication
> cookie. Our Authetication cookie is based on an encrypted ticket and
> we
use
> FormsAuthentication.SignOut() when users loggout or kill their
session, but
> apparently the secure ticket does not get removed from the server by
> FormsAuthetication.SignOut().
>
> We have been able to time-out the ticket on the server, but we need

to be
> able to remove the ticket at any time.
>
> This is our logout procedure:
>
> FormsAuthetication.SignOut()
> Session.Abandon()
> Response.Redirect("Autheticate.aspx")
>
> Thanks
>
>



Nov 18 '05 #5
The cookie is the ticket. If you tell the client to delete it and they don't
(or have a copy somewhere else) there's nothing you can do. You can only set
the ticket to be valid during a specific time period but you will never be
able to prevent this type of attack. You can make it harder by using SSL for
your requests but it still will not stop someone from copying the cookie if
they have access to the original browser (which you said they did).

Why did you post this in a csharp group? Apparently you're using VB.
Why did you post this in webservices group?
Why did you post this in a mobile group?
Why did you post this in a caching group?
Do you actually think that posting in more groups will result in more
answers?

Jerry

"Ali" <el********@hotmail.com> wrote in message
news:#R**************@TK2MSFTNGP09.phx.gbl...
Our security people have been able to copy and use the FormsAuthentication
cookie. Our Authetication cookie is based on an encrypted ticket and we use FormsAuthentication.SignOut() when users loggout or kill their session, but apparently the secure ticket does not get removed from the server by
FormsAuthetication.SignOut().

We have been able to time-out the ticket on the server, but we need to be
able to remove the ticket at any time.

This is our logout procedure:

FormsAuthetication.SignOut()
Session.Abandon()
Response.Redirect("Autheticate.aspx")

Thanks

Nov 18 '05 #6
how about creating a randon value and encrypting it... store the value in
cookie and in the database (in a table like user logs)
with the request coming in check the value in session to see if the value is
present... and is equal...
on log out you can set the session variable to null and you can set the
database value to expired = 1 (if you have a column as bit)

--
Regards,
HD
Once a Geek.... Always a Geek
"Ali" <el********@hotmail.com> wrote in message
news:%2***************@TK2MSFTNGP11.phx.gbl...
Good idea about binding the session id to the authentication cookie, but
the
problem is that the session id can also be hijacked along the
authentication
cookie.

Ali
"Hermit Dave" <he************@CAPS.AND.DOTS.hotmail.com> wrote in message
news:en**************@TK2MSFTNGP11.phx.gbl...
how bout if you appended the session id and do a compare of session id

from
the ticket and the current session id ?
(wouldn't work if the same browser window was used... ie if i remember
correctly asp.net recycles the session id and continues to use it for
current instance.)

or even if you manually opened the cookie and over wrote the ticket with
some junk ?

--
Regards,
HD
Once a Geek.... Always a Geek
"Ali" <el********@hotmail.com> wrote in message
news:ub**************@TK2MSFTNGP09.phx.gbl...
> The problem is not related to redirection. These guys are copying the
> Authentication cookie and send it later on with a different request to the > web site and they can get in. I want to be able to remove the
> Authentication ticket from the server where it is cached.
>
> Thanks.
>
> "Martin" <an****@mail2world.com> wrote in message
> news:40***********************@news.wanadoo.nl...
>> Maybe this helps:
>> RedirectFromLoginPage([some usersname], booleanvalue)
>>
>> When the booleanvalue is set to true, a persistant cookie will be created > on
>> the client.
>>
>> I guess you should set it to false.
>>
>>
>>
>>
>>
>> "Ali" <el********@hotmail.com> schreef in bericht
>> news:#R**************@TK2MSFTNGP09.phx.gbl...
>> > Our security people have been able to copy and use the
> FormsAuthentication
>> > cookie. Our Authetication cookie is based on an encrypted ticket
>> > and
>> > we
>> use
>> > FormsAuthentication.SignOut() when users loggout or kill their session, >> but
>> > apparently the secure ticket does not get removed from the server by
>> > FormsAuthetication.SignOut().
>> >
>> > We have been able to time-out the ticket on the server, but we need to > be
>> > able to remove the ticket at any time.
>> >
>> > This is our logout procedure:
>> >
>> > FormsAuthetication.SignOut()
>> > Session.Abandon()
>> > Response.Redirect("Autheticate.aspx")
>> >
>> > Thanks
>> >
>> >
>>
>>
>
>



Nov 18 '05 #7
Ali
Thanks for your expert advise Jerry, but the question is still posed - why
FormsAuthentication.SignOut() does NOT work?

As far as your questions are concerned, I am language-agnostics - I go
between c#, java and vb without any difficulty. May be this is due to my
human language capabilities too. Not to brag, but I also read, write and
speak three (3) languages; fluently.
As for cross-posting, the answer is YES. I initially posted this question
on the security news group, but did not get an answer and I have not checked
yet but as of yesterday, I still did not get a response from
aspnet.security. I know the providers of news.microsoft.com hate it when
people like me cross-post, but cross-posting actually works and it helps me
get quicker help.

"Jerry III" <je******@hotmail.com> wrote in message
news:#J**************@TK2MSFTNGP12.phx.gbl...
The cookie is the ticket. If you tell the client to delete it and they don't (or have a copy somewhere else) there's nothing you can do. You can only set the ticket to be valid during a specific time period but you will never be
able to prevent this type of attack. You can make it harder by using SSL for your requests but it still will not stop someone from copying the cookie if they have access to the original browser (which you said they did).

Why did you post this in a csharp group? Apparently you're using VB.
Why did you post this in webservices group?
Why did you post this in a mobile group?
Why did you post this in a caching group?
Do you actually think that posting in more groups will result in more
answers?

Jerry

"Ali" <el********@hotmail.com> wrote in message
news:#R**************@TK2MSFTNGP09.phx.gbl...
Our security people have been able to copy and use the FormsAuthentication cookie. Our Authetication cookie is based on an encrypted ticket and we

use
FormsAuthentication.SignOut() when users loggout or kill their session,

but
apparently the secure ticket does not get removed from the server by
FormsAuthetication.SignOut().

We have been able to time-out the ticket on the server, but we need to be able to remove the ticket at any time.

This is our logout procedure:

FormsAuthetication.SignOut()
Session.Abandon()
Response.Redirect("Autheticate.aspx")

Thanks


Nov 18 '05 #8
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
How to Expire an Authenticatoin Ticket Manually
by: Ali | last post by:
Our security people have been able to copy and use the FormsAuthentication cookie. Our Authetication cookie is based on an encrypted ticket and we use FormsAuthentication.SignOut() when users...
C# / C Sharp
1
Forms Authentication Cookie Does Not Expire
by: Joey Powell | last post by:
On my asp.net application, suddenly the forms authentication cookies for all clients have quit expiring. This results in users being able to access the site from day to day without having to log...
ASP.NET
3
Forms Authentication Cookies Never Expire
by: Joey Powell | last post by:
This message was originally posted to the aspnet.security newsgroup, but no one there has ever heard of this before. That is why I am posting this message here, so that more people will see it... ...
ASP.NET
13
How to make the page expire....
by: Veeresh | last post by:
I am using .Net 1.1. How to expire an .aspx page? I think I have to use HttpCachePolicy class for this. But not sure how to use and where to this code to work. Is it in Page_load event. Thanks...
ASP.NET
2
What relationship between cookie and ticket expiration?
by: Bill Borg | last post by:
Hello all, I am working on forms authentication and trying to understand: what's the relationship between the cookie expiration and the ticket expiration? I create a cookie and I add an...
ASP.NET
2
Application should not be Expire time in ASP.net (using this FormsAuthenticationTicket )
by: karunakar | last post by:
Hi All I dont want to expire the applicatoion Once login the application i dont want to expire the application Presently iam doing using cookies this is not working fine Please help me out ...
ASP.NET
4
FormsAuthentication.SignOut() not working when manually creatinga ticket?
by: Matthias S. | last post by:
Hi there, I've created an application which is using Forms-based authentification. My Login-Button event handler looks somewhat like this: // validate the input, etc... // sUserName holds now...
ASP.NET
6
Ticket Pin Generation (Urgent Request)
by: kossanah | last post by:
I like to seek to your assistance in any measure.I need your help on how to go about This: I am developing a promotional site where user will be issued a ticket(manually) which will be a...
PHP
0
imaplib: support for more cyrus extension : expire
by: aspineux | last post by:
setacl and getacl look to be already "Cyrus" specific (according the doc), why not to extend imaplib a little bit more ? Here are some code I wrote and tested to support cyrus "expire" that...
Python
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!