[Mono-list] Security and Firefox 2.0
pbradley at uwic.ac.uk
Tue Oct 24 10:46:09 EDT 2006
Nice one, Robert. We'd missed the one about the expiration of the
authentication cookie. I'm not sure how we avoid setting it though.
By way of explanation, here's the way we set the authentication cookie:
//add user groups (roles in MS-speak) to session
FormsAuthenticationTicket authTicket =
//Now encrypt the ticket
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket to the
// cookie as data
HttpCookie authCookie =
new HttpCookie( FormsAuthentication.FormsCookieName,
//Add the cookie to the outgoing cookies collection
I'm not quite sure how we avoid setting some sort of time in the
FormsAuthenticationTicket because it wants a DateTime value (which as
you know cannot be null).
The actual cookie itself is constructed from the ticket.
Now, does this mean the cookie has an expiration or not. Our tests
suggest it does.
If we use the HttpCookieInstance.Expires(DateTime dt) method, once again
we have to give it a value, because it expects a DateTime.
Cheers (and thanks)
From: mono-list-bounces at lists.ximian.com
[mailto:mono-list-bounces at lists.ximian.com] On Behalf Of Robert Jordan
Sent: 24 October 2006 15:13
To: Mono-list at lists.ximian.com
Subject: Re: [Mono-list] Security and Firefox 2.0
Bradley, Peter wrote:
> I wonder if I could pick some brains?
> According to the BBC:
> "Firefox 2.0 also has an improved session restoration system that will
> let users resurrect tabbed webpages they accidentally closed or will
> re-start a net session at the point before a crash."
> We already have difficulties with tabbed browsers in the sense that if
> user closes a tab, it doesn't close the session so users (and
> potentially others if the user leaves the machine unguarded) can jump
> back into a session. Does the feature above mean life is going to be
> even more difficult? Will sessions even be restored if the browser is
> closed and re-opened? This is very important to us, because many of
> applications run on computers in public access areas. So they do get
> left unguarded, and the urls to access the systems are obviously well
> known: but they do deal with sensitive information, like disability
> Or is there something in the .NET security model we should be using
> we've missed?
I'm supposing you mean ASP.NET.
By default, ASP.NET sessions expire after 10 minutes of inactivity.
This can be controlled with web.config's
<sessionState timeout="<minutes>"> setting.
During this time window, the browser can be recycled w/out
losing the session.
However, sensitive information is usually protected by an
additional authentication layer. If this layer employs cookies,
their expiration must not be set => browsers will not
store the cookies on the disk either => recycling the
browser kills the session.
If a browser doesn't respect the empty expiration value,
then ASP.NET (or any other web server framework that uses
cookies for authentication) can't do nothing about it.
Mono-list maillist - Mono-list at lists.ximian.com
More information about the Mono-list