quantass
February 3rd, 2004, 03:22 PM
I'm making use of the FormAuthenticationTicket cookie which, on authentication, stores the Login Name, User ID, and Role as a delimited string. What the client browser receives is:
Set-Cookie: .ipxeUserAuth=0494FF5571FD3F5F0BE7B7ABEE; path=/
(The above cookie has been truncated)
Now, clearly the above cookie has been encrypted but because of what i store in the cookie, and I'm sure Microsoft encrypts the cookie in a certain way, what's stopping someone from recreating the above authentication ticket allowing him to bypass logging in? Is the encryption using some kind of Public/Private Key where only the IIS server knows how to decrypt it? Does the cookie vary for each authentication ticket returned to a new user or does it remain constant with the data being stored within it?
As you can see my knowledge of encryption is inferior at best, but your answers will certainly clear things up a bit for me. I'm just looking for more insight into how this is all done and why it works...
Thanks.
Set-Cookie: .ipxeUserAuth=0494FF5571FD3F5F0BE7B7ABEE; path=/
(The above cookie has been truncated)
Now, clearly the above cookie has been encrypted but because of what i store in the cookie, and I'm sure Microsoft encrypts the cookie in a certain way, what's stopping someone from recreating the above authentication ticket allowing him to bypass logging in? Is the encryption using some kind of Public/Private Key where only the IIS server knows how to decrypt it? Does the cookie vary for each authentication ticket returned to a new user or does it remain constant with the data being stored within it?
As you can see my knowledge of encryption is inferior at best, but your answers will certainly clear things up a bit for me. I'm just looking for more insight into how this is all done and why it works...
Thanks.