logins. It would not be hard for MS to include the user id in the role cookie
any evidence that they do that. Before I converted to ASP.net 2.0 providers,
"Joe Kaplan" wrote:
> In a web app where cookies are used as a security mechanism, if those
> cookies are somehow stolen and can be reused by someone else, the thief can
> generally impersonate the user. That's one of the things that makes cross
> site scripting so dangerous.
>
> This danger is common to all web apps that use cookies and is not an issue
> specific to ASP.NET.
>
> The thing to think about is the different ways that a someone might be able
> to steal someone else's cookies. It could be cross site scripting or it
> could be by snooping on the network traffic. You can fight both of those by
> coding your app to avoid XSS attacks and using SSL to prevent snooping on
> the wire.
>
> If you are worried about one user just giving another user their cookies,
> there isn't a lot you can do about that. They would probably just give the
> user their password instead as that is much easier.
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
>
http://www.directoryprogramming.net > --
> "Jeffrey" <Jeffrey@discussions.microsoft.com> wrote in message
> news:C6A06DC6-988D-4A0C-8B91-904952592AD1@microsoft.com...
> > Thinking about my application, I am worried about an exploit that I am not
> > proficient enough to test. Can a user use a set of roles (fully encrypted
> > cookie) gained by logging in on one account and pass it to another session
> > with a different logon. That could make an "account administrator" of a
> > small
> > account an "account administrator" of a large account for which she may
> > only
> > be an "account user".
> >
> > If this is true, it is a major flaw in asp.net. I am going to attempt to
> > block this exploit by storing the user id with a prefix as if it is a role
> > and verify that it is there. This is rather kludgy.
>
>
