My blog has moved and can now be found at

No action is needed on your part if you are already subscribed to this blog via e-mail or its syndication feed.

Tuesday, September 6, 2005
« Tivo Desktop & Running as a Non-Admin Us... | Main | Security Engineering / Secure Developmen... »

Foundstone has released a white-paper based on a bug that they discovered that “…..describes the limitations of the FormsAuthentication.SignOut method and provides more information about how to ease cookie replay attacks when a forms authentication cookie may have been obtained by a malicious user.  The paper introduces methods that web developers can employ to reduce cookie replay attacks in the ASP.NET applications.  Some of these methods include:

  • Use SSL by configuring the Web application in Microsoft Internet Information Services.  This ensures the forms authentication feature will never issue a cookie over a non-SSL connection.
  • Enforce TTL and use absolute expiration instead of sliding expiration.
  • Use HttpOnly cookies to ensure that cookies cannot be accessed through client script, reducing the chances of replay attacks.
  • Use the membership class in ASP.NET 2.0 only in order to protect forms authentication cookies from being used maliciously by storing user information in the MembershipUser object.” 

Check it out here [PDF]

According to them, in response to this bug, Microsoft now has a KB article that details the limitations of the FormsAuthentication.SignOut Method

Tags:: Security
9/6/2005 8:59 PM Eastern Daylight Time  |  Comments [0]  |  Disclaimer  |  Permalink    Tracked by:
"Link Listing - September 14, 2005" (Christopher Steen) [Trackback]
Comments are closed.