How to manually decrypt an ASP.NET Core Authentication cookie?

by

Decrypting the Authentication Cookie without needing the keys

It’s worth noting that you don’t need to gain access to the keys to decrypt the authentication cookie. You simply need to use the right IDataProtector created with the right purpose parameter, and subpurpose parameters.

Based on the CookieAuthenticationMiddleware source code https://github.com/aspnet/Security/blob/rel/1.1.1/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationMiddleware.cs#L4 it looks like the purpose you need to pass is typeof(CookieAuthenticationMiddleware). And since they are passing additional parameters to the IDataProtector you will need to match them. So this line of code should get you an IDataProtector that can be used to decrypt the authentication cookie:

var dataProtector = provider.CreateProtector(typeof(CookieAuthenticationMiddleware).FullName, Options.AuthenticationScheme, "v2");

Note thatOptions.AuthenticationScheme is just “MyCookie” in this case since that’s what it was set to in the Configure method of the startup.cs file.

Here is an example action method for decrypting your authentication cookie two different ways:

public IActionResult DecryptCookie() {

    //Get the encrypted cookie value
    string cookieValue = HttpContext.Request.Cookies["MyCookie"];

    //Get a data protector to use with either approach
    var dataProtector = provider.CreateProtector(typeof(CookieAuthenticationMiddleware).FullName, "MyCookie", "v2");


    //Get the decrypted cookie as plain text
    UTF8Encoding specialUtf8Encoding = new UTF8Encoding(encoderShouldEmitUTF8Identifier: false, throwOnInvalidBytes: true);
    byte[] protectedBytes = Base64UrlTextEncoder.Decode(cookieValue);
    byte[] plainBytes = dataProtector.Unprotect(protectedBytes);
    string plainText = specialUtf8Encoding.GetString(plainBytes);


    //Get the decrypted cookie as a Authentication Ticket
    TicketDataFormat ticketDataFormat = new TicketDataFormat(dataProtector);
    AuthenticationTicket ticket = ticketDataFormat.Unprotect(cookieValue);

    return View();
}

This method uses an IDataProtectionProvider called provider that is constructor injected.

Decrypting the Authentication Cookie when persisting keys to a directory

If you want to share cookies between applications then you might decide to persist the data protection keys to a directory. This can be done by adding the following to the ConfigureServices method of the startup.cs file:

services.AddDataProtection().PersistKeysToFileSystem(
        new DirectoryInfo(@"C:\temp-keys\"));

BE CAREFUL though because the keys are not encrypted so it’s up to you to protect them!!! Only persist the keys to a directory if you absolutely must, (or if you are just trying to understand how the system works). You will also need to specify a cookie DataProtectionProvider that uses those keys. This can be done with the help of the UseCookieAuthentication configuration in the Configure method of the startup.cs class like so:

app.UseCookieAuthentication(new CookieAuthenticationOptions() {
        DataProtectionProvider = DataProtectionProvider.Create(new DirectoryInfo(@"C:\temp-keys\")),
        AuthenticationScheme = "MyCookie",
        CookieName = "MyCookie",
        LoginPath = new PathString("/Home/Login"),
        AccessDeniedPath = new PathString("/Home/AccessDenied"),
        AutomaticAuthenticate = true,
        AutomaticChallenge = true
    });

With that configuration done. You can now decrypt the authentication cookie with the following code:

 public IActionResult DecryptCookie() {
        ViewData["Message"] = "This is the decrypt page";
        var user = HttpContext.User;        //User will be set to the ClaimsPrincipal

        //Get the encrypted cookie value
        string cookieValue = HttpContext.Request.Cookies["MyCookie"];


        var provider = DataProtectionProvider.Create(new DirectoryInfo(@"C:\temp-keys\"));

        //Get a data protector to use with either approach
        var dataProtector = provider.CreateProtector(typeof(CookieAuthenticationMiddleware).FullName, "MyCookie", "v2");


        //Get the decrypted cookie as plain text
        UTF8Encoding specialUtf8Encoding = new UTF8Encoding(encoderShouldEmitUTF8Identifier: false, throwOnInvalidBytes: true);
        byte[] protectedBytes = Base64UrlTextEncoder.Decode(cookieValue);
        byte[] plainBytes = dataProtector.Unprotect(protectedBytes);
        string plainText = specialUtf8Encoding.GetString(plainBytes);


        //Get teh decrypted cookies as a Authentication Ticket
        TicketDataFormat ticketDataFormat = new TicketDataFormat(dataProtector);
        AuthenticationTicket ticket = ticketDataFormat.Unprotect(cookieValue);

        return View();
    }

You can learn more about this latter scenario here: https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/compatibility/cookie-sharing

More Related Contents:

  1. Where to store JWT in browser? How to protect against CSRF?
  2. What is the best way to implement “remember me” for a website? [closed]
  3. Are HTTP cookies port specific?
  4. JWT (JSON Web Token) automatic prolongation of expiration
  5. What is token-based authentication?
  6. Authentication versus Authorization
  7. What is the best way to prevent session hijacking?
  8. Non-random salt for password hashes
  9. JWT refresh token flow
  10. SPA best practices for authentication and session management
  11. How do I store and retrieve credentials from the Windows Vault credential manager?
  12. Symfony2 extending DefaultAuthenticationSuccessHandler
  13. MVC 6 Bind Attribute disappears?
  14. Best way for a ‘forgot password’ implementation? [closed]
  15. Custom Authentication in ASP.Net-Core
  16. ASP.NET Core 2.0 disable automatic challenge
  17. What is the best Distributed Brute Force countermeasure? [closed]
  18. Should I hash the password before sending it to the server side?
  19. Should JWT be stored in localStorage or cookie? [duplicate]
  20. How to do stateless (session-less) & cookie-less authentication?
  21. Using Symfony2’s AccessDeniedHandlerInterface
  22. Secure Google Cloud Functions http trigger with auth
  23. Simple token based authentication/authorization in asp.net core for Mongodb datastore
  24. Google Authenticator available as a public service?
  25. Best practices for server-side handling of JWT tokens [closed]
  26. What are best practices for securing the admin section of a website? [closed]
  27. Securing an API: SSL & HTTP Basic Authentication vs Signature
  28. Web authentication state – Session vs Cookie?
  29. Remember me Cookie best practice?
  30. Setting cookie in iframe – different Domain

Leave a Comment