[Mono-list] Security and Firefox 2.0

Bradley, Peter pbradley at uwic.ac.uk
Tue Oct 24 10:46:09 EDT 2006 

Nice one, Robert.  We'd missed the one about the expiration of the
authentication cookie.  I'm not sure how we avoid setting it though.

By way of explanation, here's the way we set the authentication cookie:



//add user groups (roles in MS-speak) to session
FormsAuthenticationTicket authTicket = 
	new FormsAuthenticationTicket(1, 
					txtUid.Text, 
					DateTime.Now, 
	
DateTime.Now.AddMinutes(Session.Timeout), 
					false, 
					groups.ToString());

//Now encrypt the ticket
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);


// Create a cookie and add the encrypted ticket to the
// cookie as data

HttpCookie authCookie = 
	new HttpCookie(	FormsAuthentication.FormsCookieName,
			      encryptedTicket);

//Add the cookie to the outgoing cookies collection
Response.Cookies.Add(authCookie);



I'm not quite sure how we avoid setting some sort of time in the
FormsAuthenticationTicket because it wants a DateTime value (which as
you know cannot be null).

The actual cookie itself is constructed from the ticket.

Now, does this mean the cookie has an expiration or not.  Our tests
suggest it does.

If we use the HttpCookieInstance.Expires(DateTime dt) method, once again
we have to give it a value, because it expects a DateTime.

Cheers (and thanks)


Peter

-----Original Message-----
From: mono-list-bounces at lists.ximian.com
[mailto:mono-list-bounces at lists.ximian.com] On Behalf Of Robert Jordan
Sent: 24 October 2006 15:13
To: Mono-list at lists.ximian.com
Subject: Re: [Mono-list] Security and Firefox 2.0

Bradley, Peter wrote:
> I wonder if I could pick some brains?
> 
> According to the BBC:
> 
> "Firefox 2.0 also has an improved session restoration system that will
> let users resurrect tabbed webpages they accidentally closed or will
> re-start a net session at the point before a crash."
> 
> We already have difficulties with tabbed browsers in the sense that if
a
> user closes a tab, it doesn't close the session so users (and
therefore
> potentially others if the user leaves the machine unguarded) can jump
> back into a session.  Does the feature above mean life is going to be
> even more difficult?  Will sessions even be restored if the browser is
> closed and re-opened?  This is very important to us, because many of
our
> applications run on computers in public access areas.  So they do get
> left unguarded, and the urls to access the systems are obviously well
> known: but they do deal with sensitive information, like disability
data
> &c.
> 
> Or is there something in the .NET security model we should be using
that
> we've missed?

I'm supposing you mean ASP.NET.

By default, ASP.NET sessions expire after 10 minutes of inactivity.
This can be controlled with web.config's
<sessionState timeout="<minutes>"> setting.

During this time window, the browser can be recycled w/out
losing the session.

However, sensitive information is usually protected by an
additional authentication layer. If this layer employs cookies,
their expiration must not be set => browsers will not
store the cookies on the disk either => recycling the
browser kills the session.

If a browser doesn't respect the empty expiration value,
then ASP.NET (or any other web server framework that uses
cookies for authentication) can't do nothing about it.

Robert

_______________________________________________
Mono-list maillist  -  Mono-list at lists.ximian.com
http://lists.ximian.com/mailman/listinfo/mono-list

More information about the Mono-list mailing list