Can some hacker steal a web browser cookie from a user and login with that name on a web site?

Aristos picture Aristos · Mar 23, 2010 · Viewed 25.7k times · Source

Reading this question, Different users get the same cookie - value in .ASPXANONYMOUS

and search for a solution, I start thinking, if it is possible for some one to really steal the cookie with some way, and then place it on his browser and login lets say as administrator.

Do you know how form authentication can ensure that even if the cookie is stolen, the hacker does not get to use it in an actual login?

Is there any other alternative automatic defense mechanism?

Answer

Thomas picture Thomas · Mar 24, 2010

Is it possible to steal a cookie and authenticate as an administrator?

Yes it is possible, if the Forms Auth cookie is not encrypted, someone could hack their cookie to give them elevated privileges or if SSL is not require, copy someone another person's cookie. However, there are steps you can take to mitigate these risks:

On the system.web/authentication/forms element:

  1. requireSSL=true. This requires that the cookie only be transmitted over SSL
  2. slidingExpiration=false. When true, an expired ticket can be reactivated.
  3. cookieless=false. Do not use cookieless sessions in an environment where are you trying to enforce security.
  4. enableCrossAppRedirects=false. When false, processing of cookies across apps is not allowed.
  5. protection=all. Encrypts and hashes the Forms Auth cookie using the machine key specified in the machine.config or web.config. This feature would stop someone from hacking their own cookie as this setting tells the system to generate a signature of the cookie and on each authentication request, compare the signature with the passed cookie.

If you so wanted, you could add a small bit of protection by putting some sort of authentication information in Session such as a hash of the user's username (Never the username in plain text nor their password). This would require the attacker to steal both the Session cookie and the Forms Auth cookie.