WebApp Sec mailing list archives
RE: Cookie not expiring...
From: "David Knapman" <davidk () cccs co uk>
Date: Wed, 17 Aug 2005 13:17:49 +0100
I could be wrong, but I would think that the Response.Redirect would not send the updated cookie along with it - I think cookies can only be set if you're returning a normal response (200) rather than a redirect(302?). Could you not, instead, place the code to expire the old authentication into the Page_Load of the login.aspx page?
David Knapman Analyst Programmer Consumer Credit Counselling Service Tel: 0113 2355339 -----Original Message-----
From: spawn security [mailto:spawn.security () gmail com] Sent: 16 August 2005 18:08 To: webappsec () securityfocus com Subject: Cookie not expiring... I'm testing an application and after clicking on the logout button the session management cookie does not expire. More specifically, the application is using the FormsAuthentication class signout method to "logout" an authenticated user. Private Sub cmdSignOut_ServerClick(ByVal sender As System.Object, ByVal e As System.EventArgs) _ Handles cmdSignOut.ServerClick FormsAuthentication.SignOut() Session.Abandon() Response.Redirect("login.aspx", True) End Sub According to Microsoft documentation, this FormsAuthentication.SignOut method works by returning a Set-Cookie header to the browser that sets the cookie's value to a null string and sets the cookie's expiration date to a date in the past. This is only expiring the cookie on the client/browser side. Which will allow a "malicious" user, who had access to the cookie, to reuse it after user logs out. Does anyone know how to force the cookie to expire on the server side ? Thanks.
VISIT OUR WEBSITE AT http://www.cccs.co.uk --------------------------------------------------------------------- This email message is intended for the individual to whom it’s addressed and may contain information that is privileged and confidential. If you are not the intended recipient, you are hereby notified that any use or dissemination of this communication is strictly prohibited. If you have received this information in error, please return it to us immediately and delete it from your computer. The contents or opinions expressed within this email are not intended to represent the views of CCCS unless specifically stated to be so. This email is not guaranteed to be free from any computer viruses, although it has been checked using the Trend Virus Suite. You should check this email and any attachments for the presence of viruses before downloading any files.
Current thread:
- Cookie not expiring... spawn security (Aug 16)
- Re: Cookie not expiring... bryan allott (Aug 17)
- RE: Cookie not expiring... Dan Simon (Aug 17)
- Re: Cookie not expiring... Rogan Dawes (Aug 17)
- Re: Cookie not expiring... Thomas Chiverton (Aug 17)
- <Possible follow-ups>
- RE: Cookie not expiring... Steven Rebello (Aug 17)
- RE: Cookie not expiring... David Knapman (Aug 17)
- Re: Cookie not expiring... dharmeshmm (Aug 17)
- RE: Cookie not expiring... Dan Simon (Aug 17)
- Windows 2003 Server Hardening Joe Osborn (Aug 18)
- Re: Windows 2003 Server Hardening jcarr083 (Aug 19)
- RE: Windows 2003 Server Hardening Sarbjit Singh Gill (Aug 19)
- RE: Windows 2003 Server Hardening Aleksander P. Czarnowski (Aug 19)
- RE: Cookie not expiring... Dan Simon (Aug 17)
- Re: Cookie not expiring... bryan allott (Aug 17)
