Which of the following is/are best practices for logout in .net applications?
- Using
FormsAuthentication.SignOut
method - Set the
requireSSL
attribute for theAuthCookie
- Set the
HttpOnly
cookies attribute for theAuthCookie
- Implement Short Timeout for the
AuthCookie
- All of the above
The answer is "5. All of the above".
In a .Net application when a user clicks the sign out button the FormsAuthentication.SignOut
method is called, if FormAuthentication
class is being used. The request is sent to the server. The response that comes back to the browser resets the Authcookie
value to blank and the user is logged out. But the AuthCookie
in the server is not invalidated on logout. It gets invalidated only when the timeout expires. Thus if the timeout has not expired and a malicious user gets hold of the authentication cookie, then the malicious user can use it to access the application. This will go on till the timeout expires.
In order to prevent the cookie from getting stolen while the information is being passed from the client to the server and vice versa, it is necessary to have SSL, requireSSL attribute set to true.
SSL (Secure Socket Layer) is a protocol used to create a secure connection for passing information between the client and the server. requireSSL
is an attribute of the cookie which can have value as true/false. In a site some of the requests go through SSL and some don’t. Before the request goes to the server, the browser checks the cookie and if the requireSSL
attribute is true and if the request that is going is SSL, then only the cookie is sent. So a malicious user cannot sniff the data and capture the authentication cookie. But having the requireSSL
attribute set to true is not enough to protect the cookie because the cookie can be stolen at the browser end also through cross-site scripting attacks.
A malicious user can steal information in the cookie through Cross-site scripting attacks. To mitigate this risk a new feature called HttpOnly
cookies has been introduced for IE 6.0 Service Pack 1. The authentication cookie should be marked HttpOnly
, so that it cannot be accessed through scripts. The probability of the cookie being stolen is now less but there is still a chance of a malicious user getting hold of the cookie. This is possible if the timeout value is set to high.
timeout
is an attribute of the <forms>
element of the FormsAuthentication class and can be configured in the web.config
file. The user’s authentication cookie is invalidated at the server only when the timeout expires. The default value of timeout is 30 minutes. It should be reduced to a smaller interval. If the timeout is short, the interval in which a malicious user can capture the cookie is also reduced.
Tags: Quiz