How do I protect authorization cookie when using role caching in ASP.NET 2.0?

From Guidance Share

Jump to: navigation, search

J.D. Meier, Prashant Bansode, Alex Mackman

Answer

To protect the authorization cookie you need to encrypt and integrity check it, use SSL to protect the cookie over the wire, and do not persist the cookie on the client. When using role caching securing the roles cookie is of prime importance. This is to stop users modifying the list of roles to which they belong, and to stop intruders from gaining information about the roles used by your application.

  • Ensure the cookie is encrypted and integrity checked by setting the cookieProtection attribute to All.
  • Ensure that the authorization cookie is only transmitted over HTTPS connections by setting cookieRequireSSL to true.
  • Ensure that the roles cookie is not persisted on the client computer by setting createPersistentCookie to false.
  • If you cannot use SSL, consider reducing the cookie lifetime by reducing the cookieTimeout value to minimize the time window within which an attacker can use a captured roles cookie to access your site with privileged rights.
  • If you are in a scenario where you are concerned about cookie hijacking, consider reducing the timeout and setting slidingExpiration="false".

Here is a sample secured configuration

<roleManager enabled="true"
            cacheRolesInCookie="true"
            cookieName=".ASPROLES"
            cookieTimeout="30"
            cookiePath="/"
            cookieRequireSSL="true"
            cookieSlidingExpiration="true"
            cookieProtection="All" 
            createPersistentCookie="false">
</roleManager>

More Information

For more information on roles cookie protection, see “How To: Use Role Manager in ASP.NET 2.0” at http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000013.asp

Personal tools