WebApp Sec mailing list archives
RE: Cookie not expiring...
From: "Steven Rebello" <stevenr () mastek com>
Date: Wed, 17 Aug 2005 16:10:05 +0530
Hi There is no "cookie" on the server side per se. The cookie is a small text file on the browser machine that contains a session id value which maps to a .NET session object on the server side. The clean way of implementing a logout is to remove/expire the cookie from the browser and also invalidate the session object on the server side. In such a case, even if a malicious user does manage to get a cookie with a session id before its overwritten, the corresponding session object on the server side would have already been destroyed. Also, it wont hurt to have a strict but realistic session timeout value, after which the server will automatically destroy the idle session. I'm not too familiar with .NET but the corresponding equivalent of session invalidation in J2EE is session.invalidate() HTH Steven Rebello -----Original Message----- From: spawn security [mailto:spawn.security () gmail com] Sent: Tue 16/08/2005 6:08 PM To: webappsec () securityfocus com Cc: Subject: Cookie not expiring... I'm testing an application and after clicking on the logout button the session management cookie does not expire. More specifically, the application is using the FormsAuthentication class signout method to "logout" an authenticated user. Private Sub cmdSignOut_ServerClick(ByVal sender As System.Object, ByVal e As System.EventArgs) _ Handles cmdSignOut.ServerClick FormsAuthentication.SignOut() Session.Abandon() Response.Redirect("login.aspx", True) End Sub According to Microsoft documentation, this FormsAuthentication.SignOut method works by returning a Set-Cookie header to the browser that sets the cookie's value to a null string and sets the cookie's expiration date to a date in the past. This is only expiring the cookie on the client/browser side. Which will allow a "malicious" user, who had access to the cookie, to reuse it after user logs out. Does anyone know how to force the cookie to expire on the server side ? Thanks. MASTEK "Making a valuable difference" Mastek in NASSCOM's 'India Top 20' Software Service Exporters List. In the US, we're called MAJESCO ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Opinions expressed in this e-mail are those of the individual and not that of Mastek Limited, unless specifically indicated to that effect. Mastek Limited does not accept any responsibility or liability for it. This e-mail and attachments (if any) transmitted with it are confidential and/or privileged and solely for the use of the intended person or entity to which it is addressed. Any review, re-transmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. This e-mail and its attachments have been scanned for the presence of computer viruses. It is the responsibility of the recipient to run the virus check on e-mails and attachments before opening them. If you have received this e-mail in error, kindly delete this e-mail from all computers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Current thread:
- Cookie not expiring... spawn security (Aug 16)
- Re: Cookie not expiring... bryan allott (Aug 17)
- RE: Cookie not expiring... Dan Simon (Aug 17)
- Re: Cookie not expiring... Rogan Dawes (Aug 17)
- Re: Cookie not expiring... Thomas Chiverton (Aug 17)
- <Possible follow-ups>
- RE: Cookie not expiring... Steven Rebello (Aug 17)
- RE: Cookie not expiring... David Knapman (Aug 17)
- Re: Cookie not expiring... dharmeshmm (Aug 17)
- RE: Cookie not expiring... Dan Simon (Aug 17)
- Windows 2003 Server Hardening Joe Osborn (Aug 18)
- Re: Windows 2003 Server Hardening jcarr083 (Aug 19)
- RE: Windows 2003 Server Hardening Sarbjit Singh Gill (Aug 19)
- RE: Windows 2003 Server Hardening Aleksander P. Czarnowski (Aug 19)
- RE: Cookie not expiring... Dan Simon (Aug 17)
- Re: Cookie not expiring... bryan allott (Aug 17)