Databases
StackOverflow2013
Postsdbo
POSecurity loophole around password changes with .NET FormsAuthentication and persistent cookies?
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POSecurity loophole around password changes with .NET FormsAuthentication and persistent cookies?
    text
    copied!<p>OK, here's a scenario:</p> <ol> <li>Bob logs into mysite.com, which uses .NET forms authentication, and ticks 'remember me'.</li> <li>Eve steals Bob's laptop</li> <li>Bob gets a new laptop, and changes his password.</li> </ol> <p>Now at this point, Eve has a stolen laptop, which has a persistent cookie stored on it, that will log her in to mysite.com as Bob - and, as far as I can tell, this will work <em>even after Bob has changed his password</em>.</p> <p>By default, the forms authentication cookie doesn't contain Bob's password (whether plaintext, hashed, or otherwise encrypted) - so Bob's password isn't involved in the cookie authentication process at all, and the same username that worked last week will still work today.</p> <p>It's an easy enough loophole to work around - by simply setting FormsAuthentication.SetAuthCookie("username:passwordHash") or something and then decrypting and splitting the cookie in your authentication handler - but I have trouble believing this issue exists 'out of the box'... am I missing something?</p> <p><strong>EDIT</strong>: Note that I'm assuming here that the purpose of a "remember me" button is to stop you having to enter your password every time you visit a website. This works on Facebook, Twitter, Gmail, and practically every other website I can think of - and I'd be very surprised if this isn't the purpose of the 'persistent cookie' option in .NET FormsAuthentication.</p> <p>Also, yes, I accept that performing two-factor authentication on <em>every</em> incoming request incurs a certain overhead, but in real terms it's only marginally more expensive than retrieving the user from the database based on their username, which you'd probably be doing anyway.</p> <p><strong>EDIT 2</strong>: It appears that at least one major .NET site - CodePlex.com - is vulnerable to this; see <a href="http://codeplex.codeplex.com/discussions/350646">http://codeplex.codeplex.com/discussions/350646</a></p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload