Which of the following is/are best practices for logout in .net applications?

1. Using FormsAuthentication.SignOut method
2. Set the requireSSL attribute for the AuthCookie
3. Set the HttpOnly cookies attribute for the AuthCookie
4. Implement Short Timeout for the AuthCookie
5. All of the above

The answer is "5. All of the above".

In a .Net application when a user clicks the sign out button the FormsAuthentication.SignOut method is called, if FormAuthentication class is being used. The request is sent to the server. The response that comes back to the browser resets the Authcookie value to blank and the user is logged out. But the AuthCookie in the server is not invalidated on logout. It gets invalidated only when the timeout expires. Thus if the timeout has not expired and a malicious user gets hold of the authentication cookie, then the malicious user can use it to access the application. This will go on till the timeout expires.

In order to prevent the cookie from getting stolen while the information is being passed from the client to the server and vice versa, it is necessary to have SSL, requireSSL attribute set to true.

SSL (Secure Socket Layer) is a protocol used to create a secure connection for passing information between the client and the server. requireSSL is an attribute of the cookie which can have value as true/false. In a site some of the requests go through SSL and some don’t. Before the request goes to the server, the browser checks the cookie and if the requireSSL attribute is true and if the request that is going is SSL, then only the cookie is sent. So a malicious user cannot sniff the data and capture the authentication cookie. But having the requireSSL attribute set to true is not enough to protect the cookie because the cookie can be stolen at the browser end also through cross-site scripting attacks.

A malicious user can steal information in the cookie through Cross-site scripting attacks. To mitigate this risk a new feature called HttpOnly cookies has been introduced for IE 6.0 Service Pack 1. The authentication cookie should be marked HttpOnly, so that it cannot be accessed through scripts. The probability of the cookie being stolen is now less but there is still a chance of a malicious user getting hold of the cookie. This is possible if the timeout value is set to high.

timeout is an attribute of the <forms> element of the FormsAuthentication class and can be configured in the web.config file. The user’s authentication cookie is invalidated at the server only when the timeout expires. The default value of timeout is 30 minutes. It should be reduced to a smaller interval. If the timeout is short, the interval in which a malicious user can capture the cookie is also reduced.