Can you protect that cookie that is evident when you log in to a site using asp.net membership? I know I just copy it so I can "clone" the login session and thus become very vulnerable to man in the middle attacks.
The only solution is to use SSL?
Can you protect that cookie that is evident when you log in to a site using asp.net membership? I know I just copy it so I can "clone" the login session and thus become very vulnerable to man in the middle attacks.
The only solution is to use SSL?
For any cookie you need to create, regardless of language / platform, it is highly recommended that the HttpOnly flag be set which helps you to prevent manipulations of your Cookie through JavaScript, and consequently XSS attacks , in addition to the Secure flag, "https://www.w3.org/Protocols/rfc2109/rfc2109">W3C standardized as a way to prevent Cookies requests from being accepted through insecure channels.
In fact, if someone can somehow generate the exact content of your Authentication Cookie, it may well change the Cookie in the browser and use it. But we have to consider that Asp.Net itself already takes good care of the part of encrypting its Cookies through the configuration of machineKey , which makes this practice very unlikely.
On the other hand, the user would not even need to generate the content if it facilitates the theft of this information. With the HttpOnly flag, you prevent malicious scripts in JavaScript from being able to read your cookies and the Secure flag ensures that the application will only understand the content if it is traveling by SSL, which is nowadays required to prevent information traffic in text pure, which could be easily read by man-in-the-middle attacks.
In Asp.Net, settings can be made through settings in Web.config with the link :
<httpCookies httpOnlyCookies="true" requireSSL="true" />
For any Cookie, you can programmatically set:
HttpCookie myCookie = new HttpCookie("myCookie");
myCookie.HttpOnly = true;
Response.AppendCookie(myCookie);
Specifically in the case of the Authentication Cookie, you can force the secure flag on the forms :
<authentication mode="Forms">
<forms cookieless="UseCookies" requireSSL="true" />
</authentication>