Jul 21, 2006 10:29 AM|cathal|LINK
Thanks for the post Scott, but I don't think I'm explaining my scenario very well. I'm not so worried about persistent cookies (in fact I prefer that I have control over the timeout now), my concern is that the in-memory authetication and persistent authentication
storage timeout is the same i.e.
Previously in asp.net 1.1 if I set my forms authentication timeout to 15 minutes, when a user logged in they would be authenticated for that period and continue to be authenticated as long as they did not take more than that period between page refreshes.
The in-memory authentication would also automatically be removed if I either closed the browser, or navigated to another website (the browser would remove the the in-memory auth cookie after the forms authentication timeout expired). If I decided to allow
my users to selected to be to use persistent cookies (i.e. via a "remember me" dialog), they got a 50 year long cookie, which whilst IMHO was very insecure (giving hackers a much larger window for cookie replay attacks etc.), did function as my users required.
Now in asp.net 2.0 if I set my forms authentication timeout to 15 minutes, I still have the same behaviour for users who log on everytime, but persistent cookies aren't really persistent. To achieve persistent cookies I need to increase the timeout to something
much larger e.g. 1440 to cover 1 day, but it seems to me that this then means that it impacts for users with in-memory authentication i.e. if I browse to the site, I get a temporary cookie with a timeout of 24 hours - now if I navigate away to another site
(without closing the browser first) my auth cookie will live for a substantially larger amount of time meaning that if someone can gain access to my cookie (e.g. via an XSS attack) or else if i walk away from the browser and they use the back button, they
have a much greater window of opportunity.
To me it seems that in trying to fix the security issue with a hardcoded timeout for persistent cookies in 1.1, by tying the values of transient and persistent cookies together in one parameter, Microsoft have accidentally weakened non-persistent authentication
for websites that require the option to persist cookies. Obviously I can override the default behaviour by setting my own cookie expiration in code, but it does seem to me that this is a weakness in the available configuration settings.