18280

Prevent forms authentication cookie to be used accross browsers

I am using forms authentication in an ASP.NET application and I realised that I can copy the authentication cookie content after I've already logged in, manually create the cookie in another instance of another browser and, after that, the application logs in automatically from the second browser.

I'd like to know if there's a way to prevent this (I don't know... something like making the authentication ticket somehow liked to the browser instance) as, as it is now, someone can steal the cookie and use it in a different computer to access the same account with no need of login or password.

Answer1:

There's not a great deal you can do. Jeff Prosise has an interesting article here where he tries creating an HttpModule.

However you can see this isn't that effective:

...User-Agent headers are the last line of defense. And User-Agent headers are easily spoofed by someone aware that User-Agent headers are being used to validate session IDs.

Personally I wouldn't lose any sleep over it.

Answer2:

Take the User Agent and embed that in your cookie? Obviously, this would only work if your cookie was encrypted.

eg.

string plainFormCookie=GetUsername()+etc()+Request.UserAgent; // encrypt cookie afterwards

Answer3:

No, the browser doesn't send any unique identifyer that you can use to pinpoint a single browser instance. You could store the UserAgent string and verify that each time the user request a page to reduce the risk of identity theft, but that won't elliminate it.

To make a really safe connection you would have to use SSL.

Recommend

  • Drawbacks and support for adopting a custom `redirect_to` method
  • Reverse Zen Coding
  • Fiddler Web Debugger - why can't I “debug” https requests?
  • Javascript, map returns undefined
  • Algorithm to determine thread “hotness”
  • Special Characters on Console
  • How to merge two tables and transpose rows to columns
  • Tracking screen recorder in windows app
  • Creating My Symmetric Key in C#
  • Generating anchors with PyYAML.dump()?
  • Many to Many in Linq using Dapper
  • How can I prevent the need to copy strings passed to a avr-gcc C++ constructor?
  • SQL - Select lowest values with group by and order by?
  • Cypher - matching two different possible paths and return both
  • (Tcl/Expect) clear screen after exit
  • Configure Spring's MappingJacksonHttpMessageConverter
  • HttpListener.IsSupported is false on XP SP3
  • Produce a precision weighted average among rows with repeated observations
  • How to autopopulate a field in SugarCRM form
  • Combining two different ActiveRecord collections into one
  • MongoError: Incorrect arguments
  • Django rest serializer Breaks when data exists
  • Recording logins for password protected directories
  • formatting the colorbar ticklabels with SymLogNorm normalization in matplotlib
  • Java Scanner input dilemma. Automatically inputs without allowing user to type
  • Is there any way to access browser form field suggestions from JavaScript?
  • How to redirect a user to a different server and include HTTP basic authentication credentials?
  • Incrementing object id automatically JS constructor (static method and variable)
  • Javascript Callbacks with Object constructor
  • Can a Chrome extension content script make an jQuery AJAX request for an html file that is itself a
  • Weird JavaScript statement, what does it mean?
  • Google cloud sdk not working when python points python3
  • Apache 2.4 - remove | delete | uninstall
  • Windows forms listbox.selecteditem displaying “System.Data.DataRowView” instead of actual value
  • Unit Testing MVC Web Application in Visual Studio and Problem with QTAgent
  • Benchmarking RAM performance - UWP and C#
  • Getting error when using KSoap library to consume .NET web services
  • How do you join a server to an Active Directory (domain)?
  • Authorize attributes not working in MVC 4
  • UserPrincipal.Current returns apppool on IIS