Authentication

 <forms loginUrl="Restricted\login.aspx"  Login page in an SSL protected folder          protection="All"                  Privacy and integrity          requireSSL="true"                 Prevents cookie being sent over http          timeout="10"                      Limited session lifetime          name="AppNameCookie"              Unique per-application name          path="/FormsAuth"                    and path          slidingExpiration="true" >        Sliding session lifetime   </forms> 

 <system.web>   <!-- The virtual directory root folder contains general pages.        Unauthenticated users can view them and they do not need         to be secured with SSL. -->   <authorization>     <allow users="*" />   </authorization> </system.web> 

 <!-- The restricted folder is for authenticated and SSL access only. --> <location path="Secure" >   <system.web>     <authorization>       <deny users="?" />     </authorization>   </system.web> </location> 

Restrict the Authentication Cookie-to-HTTPS Connections

Cookies support a "secure" property that determines whether or not browsers should send the cookie back to the server. With the secure property set, the cookie is sent by the browser only to a secure page that is requested using an HTTPS URL.

If you are using .NET Framework version 1.1, set the secure property by using requireSSL="true" on the <forms> element as follows :

 <forms loginUrl="Secure\Login.aspx"        requireSSL="true" . . . /> 

If you are using .NET Framework version 1.0, set the secure property manually in the Application_EndRequest event handler in Global.asax using the following code:

 protected void Application_EndRequest(Object sender, EventArgs e)  {   string authCookie = FormsAuthentication.FormsCookieName;       foreach (string sCookie in Response.Cookies)    {     if (sCookie.Equals(authCookie))     {        // Set the cookie to be secure. Browsers will send the cookie       // only to pages requested with https       Response.Cookies[sCookie].Secure = true;     }   } } 

Encrypt the Cookie

Encrypt the cookie contents even if you are using SSL. This prevents an attacker from viewing or modifying the cookie if he or she manages to steal it through a XSS exploit. In this event, the attacker can still use the cookie to gain access to your application. The best way to mitigate this risk is to implement the appropriate countermeasures to prevent XSS attacks (described under "Cross-Site Scripting" earlier in this chapter), and limit the cookie lifetime as described in the next recommendation.

To provide privacy and integrity for the cookie, set the protection attribute on the <forms> element as follows:

 <forms protection="All"    Privacy and integrity 

Limit Cookie Lifetime

Limit the cookie lifetime to reduce the time window in which an attacker can use a captured cookie to gain spoofed access to your application.

 <forms timeout="10"                Reduced cookie lifetime (10 minutes) 

Consider Using a Fixed Expiration Period

Consider setting slidingExpiration="false" on the <forms> element to fix the cookie expiration, rather than resetting the expiration period after each Web request. This is particularly important if you are not using SSL to protect the cookie.

Do not Persist Authentication Cookies

Do not persist authentication cookies because they are stored in the user's profile and can be stolen if an attacker gets physical access to the user's computer. You can specify a non-persistent cookie when you create the FormsAuthenticationTicket as follows:

 FormsAuthenticationTicket ticket =                 new FormsAuthenticationTicket(                         1,                           // version                         Context.User.Identity.Name,  // user name                         DateTime.Now,                // issue time                         DateTime.Now.AddMinutes(15), // expires every 15 mins  false,                       // do not persist the cookie  roleStr );                   // user roles 

Keep Authentication and Personalization Cookies Separate

Keep personalization cookies that contain user-specific preferences and non-sensitive data separate from authentication cookies. A stolen personalization cookie might not represent a security threat, whereas an attacker can use a stolen authentication cookie to gain access to your application.

Use Distinct Cookie Names and Paths

Use unique name and path attribute values on the <forms> element. By ensuring unique names, you prevent possible problems that can occur when hosting multiple applications on the same server. For example, if you don't use distinct names, it is possible for a user who is authenticated in one application to make a request to another application without being redirected to that application's logon page.

For more information, see Microsoft Knowledge Base articles 313116, "PRB: Forms Authentication Requests Are Not Directed to loginUrl Page," and 310415, "PRB: Mobile Forms Authentication and Different Web Applications."

 private void btnLogon_Click( object sender, System.EventArgs e ) {   // Form an absolute path using the server name and v-dir name   string serverName =           HttpUtility.UrlEncode(Request.ServerVariables["SERVER_NAME"]);   string vdirName = Request.ApplicationPath;   Response.Redirect("https://" + serverName + vdirName +                      "/Restricted/Login.aspx"); } 

Use One-Way Hashes for Passwords

If your user store is SQL Server, store one-way password digests (hash values) with an added random salt value. The added salt value mitigates the risk of brute force password cracking attempts, for example, dictionary attacks. The digest approach means you never actually store passwords. Instead, you retrieve the password from the user and validate it by recalculating the digest and comparing it with the stored value.

Use Strong Passwords

Use regular expressions to ensure that user passwords conform to strong password guidelines. The following regular expression can be used to ensure that passwords are between 8 and 10 characters in length and contain a mixture of uppercase, lowercase, numeric, and special characters . This further mitigates the dictionary attack risk.

 private bool IsStrongPassword( string password ) { return Regex.IsMatch(password, @"^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,10}$"); } 

Prevent SQL Injection

Forms authentication is especially prone to vulnerabilities that lead to SQL injection attacks because of the way that the user-supplied logon credentials are used to query the database. To mitigate the risk:

• Thoroughly validate the supplied credentials. Use regular expressions to make sure they do not include SQL characters.

• Use parameterized stored procedures to access the user store database.

• Use a login to the database that is restricted and least privileged.

For more information about preventing SQL injection, see Chapter 14, "Building Secure Data Access."