Forms Authentication Fun (?)

Alex Lowe : When Forms Authentication attacks...

"Forms authentication is a good thing. I mean, it definitely lowers the bar for developers in terms of the amount of work required to setup up simple authentication functionality in their ASP.NET applications. By default, forms authentication is setup to both encrypt and perform data validation (ensure the cookie came from the server and that it hasn't been tampered with) on the cookie that is issued at login. This cookie doesn't store a great deal of information but it does have the username and most role based systems key on the username. If, for example, you set the Protection attribute of the Forms element in the web.config to 'None' then you are opening your system up to simple cookie replay attacks. This kind of attack can be particularly easy if someone is using an application where they can run a local instance that is virtually identical to the system they wish to hack (like open source applications for example). In this case, how does this kind of attack work: ...

[Greg: See original post for details]

... The lesson here is that you should all make sure that your Protection attribute is set to 'All' which is the most secure of the options. Thankfully, 'All' is the default for all ASP.NET applications."

Interesting...

Kind of like hacking SourceSafe integrated security. Ever lost your SS "admin" user password? Then you know what I'm talking about...