Can some hacker steal a web browser cookie from a user and login with that name on a web site?

by

Is it possible to steal a cookie and
authenticate as an administrator?

Yes it is possible, if the Forms Auth cookie is not encrypted, someone could hack their cookie to give them elevated privileges or if SSL is not require, copy someone another person’s cookie. However, there are steps you can take to mitigate these risks:

On the system.web/authentication/forms element:

  1. requireSSL=true. This requires that the cookie only be transmitted over SSL
  2. slidingExpiration=false. When true, an expired ticket can be reactivated.
  3. cookieless=false. Do not use cookieless sessions in an environment where are you trying to enforce security.
  4. enableCrossAppRedirects=false. When false, processing of cookies across apps is not allowed.
  5. protection=all. Encrypts and hashes the Forms Auth cookie using the machine key specified in the machine.config or web.config. This feature would stop someone from hacking their own cookie as this setting tells the system to generate a signature of the cookie and on each authentication request, compare the signature with the passed cookie.

If you so wanted, you could add a small bit of protection by putting some sort of authentication information in Session such as a hash of the user’s username (Never the username in plain text nor their password). This would require the attacker to steal both the Session cookie and the Forms Auth cookie.

More Related Contents:

  1. Can I change the FormsAuthentication cookie name?
  2. Web authentication state – Session vs Cookie?
  3. FormsAuthentication.SignOut() does not log the user out
  4. What are all the user accounts for IIS/ASP.NET and how do they differ?
  5. Asp.Net Forms Authentication when using iPhone UIWebView
  6. Chrome localhost cookie not being set
  7. Mixing Forms authentication with Windows authentication
  8. X-Frame-Options Allow-From multiple domains
  9. Asp.net Identity password hashing
  10. Passing FormsAuthentication cookie to a WCF service
  11. Store/assign roles of authenticated users
  12. Preventing CSRF with the same-site cookie attribute
  13. How to remove returnurl from url?
  14. Forms Authentication Ignoring Default Document
  15. Session Fixation in ASP.NET
  16. Redirect to a page with endResponse to true VS CompleteRequest and security thread
  17. How to Customize ASP.NET Web API AuthorizeAttribute for Unusual Requirements
  18. Sharing cookies across different domains and different applications (classic ASP and ASP.NET)
  19. Allow access for unathenticated users to specific page using ASP.Net Forms Authentication
  20. Cannot use a leading ../ to exit above the top directory
  21. Cookies and subdomains
  22. How to limit page access only to localhost?
  23. set cookie to expire at end of session? asp.net
  24. Why do ASP.NET JSON web services return the result in ‘d’?
  25. Forms authentication: disable redirect to the login page
  26. Cache VS Session VS cookies?
  27. Too many cookies OpenIdConnect.nonce cause error page “Bad Request – Request Too Long”
  28. ASP.NET Session Cookies – specifying the base domain
  29. How is HttpOnly get set for ASP.NET_SessionId cookie?
  30. Different users get the same cookie – value in .ASPXANONYMOUS

Leave a Comment