Posts

Showing posts with the label Session hijacking

Session Hijacking Prevention

  Is it possible to steal a cookie and authenticate as an administrator? Yes it is possible, if the Forms Auth cookie is not encrypted, someone could hack our cookie to give themselves elevated privileges or if SSL is set to not required, copy some other person's cookie. Encrypting the session value will have zero effect. The session cookie is already an arbitrary value, encrypting it will just generate another arbitrary value that can be sniffed.   However, there are steps we can take to mitigate these risks: On the system.web/authentication/forms element: requireSSL=true. This requires that the cookie only be transmitted over SSL slidingExpiration=false. When true, an expired ticket can be reactivated. cookieless=false. Do not use cookieless sessions in an environment where are you trying to enforce security. enableCrossAppRedirects=false. When false, processing of cookies across apps is not allowed. protection=all. Encrypts and ha