Do ASP.NET forms authentication cookies provide any protection against replay attacks? Do they, for example, include the client's IP address or anything else that would distinguish the real client from an attacker?
Answer Posted / surendra singh
No. If an authentication cookie is stolen, it can be used by an attacker. It's up to you to prevent this from happening by using an encrypted communications channel (HTTPS). Authentication cookies issued as session cookies, do, however,include a time-out valid that limits their lifetime. So a stolen session cookie can only be used in replay attacks as long as the ticket inside the cookie is valid. The default time-out interval is 30 minutes.You can change that by modifying the timeout attribute accompanying the <forms> element in Machine.config or a local Web.config file. Persistent authentication cookies do not time-out and therefore are a more serious security threat if stolen.
Is This Answer Correct ? | 0 Yes | 0 No |
Post New Answer View All Answers
Can master pages be nested?
Disable Mouse right click on web page in asp.net?
What is the difference between mechine.config and web.config?
What are directives in asp.net?
What is an imagemap in asp.net?
How do we ensure view state has not tampered?
Explain program to call the js function when the change is being made in the dropdown list made in asp.net mvc? : asp.net mvc
What is the purpose of using MVC programming pattern in ASP.NET?
Can we set which type of comparison we want to perform by the CompareValidator control?
How many web config files can be created for an application?
If 200 is for all successful operation then why do we have 201 response codes?
Explain the advantages of passport authentication.
What is true about application service provider?
Can we have a web application running without web.config file?
How can I configure asp.net applications that are running on a remote machine?