Persistent authentication tickets leave users vulnerable to session hijacking.
The FormsAuthentication.RedirectFromLoginPage()
method issues an authentication ticket, which allows users to remain authenticated for a specified period of time. When the method is invoked with the second argument false
, it issues a temporary authentication ticket that remains valid for a period of time configured in web.config
. When invoked with the second argument true
, the method issues a persistent authentication ticket. On .NET 2.0, the lifetime of the persistent ticket respects the value in web.config
, but on .NET 1.1, the persistent authentication ticket has a ridiculously long default lifetime -- fifty years.
Allowing persistent authentication tickets to survive for a long period of time leaves users and the system vulnerable in the following ways:
It expands the period of exposure to session hijacking attacks for users who fail to log out.
It increases the average number of valid session identifiers available for an attacker to guess.
It lengthens the duration of exploit when an attacker succeeds in hijacking a user's session.
[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A3 Broken Authentication and Session Management
[2] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A3 Broken Authentication and Session Management
[3] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A7 Broken Authentication and Session Management
[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3405 CAT I
[5] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 302
[6] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Insufficient Authentication
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.3
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.5.7
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.8
[10] Jeff Prosise The Keep Sites Running Smoothly By Avoiding These 10 Common ASP.NET Pitfalls