forms authentication question

[Eric]

I want to use forms authentication, but since the forms authentication
cookie is not updated all the time, I want to use server-side to check for
validation user's login status/information. If I create an unique session
key and store it in the forms authentication cookie as custom data, can I
check on every Application_BeginRequest() if the cookie is expired, and if
the cookie is expired but the session key is valid (validated against the
database), call FormsAuthentication.RenewTicketIfOld and re-set the forms
authentication cookie?

It looks like this would be a good check for making sure that if someone
steals the forms authentication cookie and somehow decrypts it, they still
wouldn't be able to login because of a server-side check? Or maybe this is
not necessary, creates overhead, and not secure at all? I just want some
opinions.

Thanks in advance,
Eric

 

[Dominick Baier [DevelopMentor]]

Hi,

i don't really see what you are trying to do -

the forms auth auth ticket has a timeout - and 2 renewal modes: sliding and
non sliding

in non sliding the timeout is absolute - and users have to reauth after this
timeout
in sliding the ticket gets renewed for the time specified in timeout after
timeout/2

as long as you don't persist cookies and use SSL - i don't see a problem
here..?

However, if you store additional data in the cookie - like roles - you should
have a manual expiration mechanism to update roles after a certain amount
of time. This also gives you the chance to check if the user is still valid/roles
have changed.

 

[Eric]

Thank you for a reply. Yes, the forms authentication cookie has a sliding
timeout or absolute timeout, but my problem is that the sliding expiration
does not get updated all the time. So, if I set the sliding expiration to 20
minutes, the cookie will be updated after 10 minutes, and if the user did
something in the first 10 minutes, but then didn't do anything for the next
15 minutes, forms authentication cookie will be timed-out. That's what I'm
trying to avoid. Storing custom session key in the cookie gives me an ability
to renew the cookie as long as the session key has not expired. I will also
be using in-memory cookie and SSL, so that it will be difficult to steal
forms authentication cookie, but if it's stolen, there would be another level
of server-side checks that would have to be passed.

 

[Dominick Baier [DevelopMentor]]

Hi,

so does your session key also have an expiration time? why don't you just
set a longer timeout on the forms ticket?

 

[Eric]

I have 20 minute timeout on the session key. Every time a request is made to
the database, the expiration time is updated. I can increase the timeout on
the forms authentication cookie, but I really would like to keep both the
session key and the forms authentication cookie close to each other if
possible. If I set the forms authentication cookie timeout to 40 minutes and
I have a page where the code is not hitting the database, then the user will
be valid for 40 minutes, instead of 20. But if I set the forms authentication
timeout to 20 and then validate the session key (stored in the forms cookie
as user's data) against the database, then the timeouts will be in sync. I
just don't know what solution is better: increase forms timeout or keep the
same timeout for both session key and forms cookie validate/extend the
session key on every request.

 

[Dominick Baier [DevelopMentor]]

Hi,

ok - you made two points

a) avoiding expiration

why don't you just call RenewTicketIfOld on every request?

b) stealing the cookie

if the cookie is expired - it is expired. If someone can steal the cookie
(including your session key) - he can keep the ticket alive by regurlarly
posting back to the web site. I don't see a security gain here.

 

[Dominick Baier [DevelopMentor]]

Hi,

sorry - calling Renew on every request does not make sense. Have read the
docs now )

But you could manually renew the ticket if you want to - i just wouldn't
go through the hassle of the session key - and keeping them in sync manually.

 

[Eric]

I looked at RenewTicketIfOld method, but it only updates the ticket if the
user has passed the timeout/2 value. I guess that's the reason Microsoft
decided to just update the cookie once in a while, instead of every time --
if user has "warn cookies" option turned on, they would get the pop up box
every time the forms cookie is updated. That's why I was thinking I can
update the cookie once I determine that the forms authentication cookie is
expired, but the "true" session key has not expired. Of course, if someone
steals the forms cookie, they'll be able to send requests and keep both
ticket and session key alive, but I'll make sure the forms cookie is only
given for SSL traffic and the whole site will also use SSL.