RE: Cookie not expiring...

["Steven Rebello" <stevenr () mastek com>]

Hi
 
There is no "cookie" on the server side per se. The cookie is a small text file on the browser machine that contains a 
session id value which maps to a .NET session object on the server side. 
 
The clean way of implementing a logout is to remove/expire the cookie from the browser and also invalidate the session 
object on the server side. In such a case, even if a malicious user does manage to get a cookie with a session id 
before its overwritten, the corresponding session object on the server side would have already been destroyed. Also, it 
wont hurt to have a strict but realistic session timeout value, after which the server will automatically destroy the 
idle session. 
 
I'm not too familiar with .NET but the corresponding equivalent of session invalidation in J2EE is session.invalidate()
 
HTH
 
Steven Rebello

        -----Original Message----- 
        From: spawn security [mailto:spawn.security () gmail com] 
        Sent: Tue 16/08/2005 6:08 PM 
        To: webappsec () securityfocus com 
        Cc: 
        Subject: Cookie not expiring...
        
        

          I'm testing an application and after clicking on the logout button
        the session management cookie does not expire. More specifically, the
        application is using the FormsAuthentication class signout method to
        "logout" an authenticated user.
        
        Private Sub cmdSignOut_ServerClick(ByVal sender As System.Object,
        ByVal e As System.EventArgs) _
        Handles cmdSignOut.ServerClick
        FormsAuthentication.SignOut()
              Session.Abandon()
              Response.Redirect("login.aspx", True)
        End Sub
        
         According to Microsoft documentation, this
        FormsAuthentication.SignOut method works by returning a Set-Cookie
        header to the browser that sets the cookie's value to a null string
        and sets the cookie's expiration date to a date in the past.  This is
        only expiring the cookie on the client/browser side. Which will allow
        a "malicious" user, who had access to the cookie, to reuse it after
        user logs out.
        
          Does anyone know how to force the cookie to expire on the server side ?
        
        Thanks.
        
        



MASTEK
"Making a valuable difference"
Mastek in NASSCOM's 'India Top 20' Software Service Exporters List.
In the US, we're called MAJESCO

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Opinions expressed in this e-mail are those of the individual and not that of Mastek Limited, unless specifically 
indicated to that effect. Mastek Limited does not accept any responsibility or liability for it. This e-mail and 
attachments (if any) transmitted with it are confidential and/or privileged and solely for the use of the intended 
person or entity to which it is addressed. Any review, re-transmission, dissemination or other use of or taking of any 
action in reliance upon this information by persons or entities other than the intended recipient is prohibited. This 
e-mail and its attachments have been scanned for the presence of computer viruses. It is the responsibility of the 
recipient to run the virus check on e-mails and attachments before opening them. If you have received this e-mail in 
error, kindly delete this e-mail from all computers.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~