Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Cookie not expiring...

from [David Knapman] Network Security [Permanent Link]
Subject: RE: Cookie not expiring...
Date: Wed, 17 Aug 2005 13:17:49 +0100 
I could be wrong, but I would think that the Response.Redirect would not send 
the updated cookie along with it - I think cookies can only be set if you're 
returning a normal response (200) rather than a redirect(302?). Could you not, 
instead, place the code to expire the old authentication into the Page_Load of 
the login.aspx page?




 
David Knapman
Analyst Programmer
Consumer Credit Counselling Service
Tel: 0113 2355339
 
-----Original Message-----
 


From: spawn security [mailto:spawn.security@gmail.com]
Sent: 16 August 2005 18:08
To: webappsec@securityfocus.com
Subject: Cookie not expiring...


  I'm testing an application and after clicking on the logout button
the session management cookie does not expire. More specifically, the
application is using the FormsAuthentication class signout method to
"logout" an authenticated user.

Private Sub cmdSignOut_ServerClick(ByVal sender As System.Object,
ByVal e As System.EventArgs) _
Handles cmdSignOut.ServerClick
FormsAuthentication.SignOut()
      Session.Abandon()
      Response.Redirect("login.aspx", True)
End Sub

 According to Microsoft documentation, this
FormsAuthentication.SignOut method works by returning a Set-Cookie
header to the browser that sets the cookie's value to a null string
and sets the cookie's expiration date to a date in the past.  This is
only expiring the cookie on the client/browser side. Which will allow
a "malicious" user, who had access to the cookie, to reuse it after
user logs out.

  Does anyone know how to force the cookie to expire on the 
server side ?

Thanks.


VISIT OUR WEBSITE AT http://www.cccs.co.uk
---------------------------------------------------------------------
This email message is intended for the individual to whom itâs addressed 
and may contain information that is privileged and confidential. If you are 
not the intended recipient, you are hereby notified that any use or 
dissemination 
of this communication is strictly prohibited. If you have received this 
information 
in error, please return it to us immediately and delete it from your computer. 

The contents or opinions expressed within this email are not intended to 
represent the views of CCCS unless specifically stated to be so.

This email is not guaranteed to be free from any computer viruses, although 
it has been checked using the Trend Virus Suite. You should check this email 
and any attachments for the presence of viruses before downloading any files.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: RE: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection), mike
Next by Date:  Re: Cookie not expiring..., dharmeshmm
Previous by Thread:  RE: Cookie not expiring..., Steven Rebello
Next by Thread:  Re: Cookie not expiring..., dharmeshmm
Indexes:  [Date] [Thread] [Top] [All Lists]