ASPXAUTH public cookie and security

Question

ASPXAUTH public cookie and security

Due to an error in Flash, I have to use the ASPXAuth cookie to log the user into the system on the page that is unloaded when the script loads after loading. See this page for more information: http://geekswithblogs.net/apopovsky/archive/2009/05/06/working-around-flash-cookie-bug-in-asp.net-mvc.aspx

I need to make the ASPXAUTH line “public” in the sense that it will be in the HTML page of the page. My question is: how safe is it?

I understand that anyone who can get a string in HTML can probably get it from a cookie just as easily, but let someone have this string ASPXAUTH. Is it possible that they can log in as another user using this cookie? Can they decrypt it?

Bara

+4

asp.net forms-authentication .aspxauth uploadify

Bara Mar 18 '10 at 20:23

source share

2 answers

Make sure the caching page is disabled on both the client and proxy server.

You really do not want the page to be stored in any caches if it contains aspxauth cookie values in the markup.

Personally, I would use SSL to connect if it was very sensitive data.

+1

Geo Feb 15 '12 at 7:35

source share

pmarflee · Accepted Answer · 2010-03-18T20:38:43+0000

The value of the cookie for forms authentication can be decrypted if a third party has received the decryption key used by your site. Otherwise, I think this will be the case of using brute force methods to crack it.

ASPXAUTH public cookie and security

More articles: