locked
When persisting simplemembership login cookie any internet application is authenticated. RRS feed

  • Question

  • User1574164112 posted

    Using VS2010 I created an MVC4 web application that uses simplemembership for forms authentication.  On the log in form is a Remember Me check box which when ticked persists the authentication cookie (Standard AccountController code from Internet Application Project Template).

    So at this stage I have remembered my authentication when logging in to this first application.

    Now I have created a second application in VS2010, again an Internet application template with SimpleMembership. When I run this second application I am authenticated straight away, from the log in credentials entered in the first application. In my view Request.IsAuthenticated = true and User.Identity.Name is the username from the other app.

    This seems really insecure.  Does this have anything to do with:

    • The fact I am using the Dev webserver that comes with VS2010.
    • Using IE and session is being shared.
    • or is it just a major security hole?
    Monday, June 23, 2014 9:20 AM

Answers

  • User1574164112 posted

    For anyone finding this question the issue seems to be resolved by adding a domain attribute to the forms element in the config file

    <authentication mode="Forms">
    <forms loginUrl="~/Account/Login" timeout="2880" enableCrossAppRedirects="false" domain=".mydomain.com" />
    </authentication>



    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, July 2, 2014 6:31 AM

All replies

  • User-760709272 posted

    It's cookie based so if the two sites are on the same domain they'll share each other's cookies.

    Monday, June 23, 2014 9:41 AM
  • User1574164112 posted

    So does having 2 sites on localhost with different port numbers

    http://localhost:49220/

    http://localhost:49066/

    constitute the same domain?

    Are there any additional config settings I can put in place (cookie names etc) to make the authentication more unique?

     

     

    Monday, June 23, 2014 9:49 AM
  • User-760709272 posted

    The port is part of the "domain" so it should have two different cookies for each of those sites.  It might be worth looking at the cookie tools of the browser to get a better idea of what is going on.

    Monday, June 23, 2014 10:04 AM
  • User1574164112 posted

    I was sure the port would make the domain unique, but because of what is happening I started to doubt what I knew.

    Now, according to the Chrome Dev tools (Resources menu, Cookies (Right Men)) the domain is localhost.  No mention of the port which to me still leaves some doubt.

    I will have to set up the 2 sites in IIS (like they will be for production) an see it I get the same result.

    Monday, June 23, 2014 10:52 AM
  • User1574164112 posted

    For anyone finding this question the issue seems to be resolved by adding a domain attribute to the forms element in the config file

    <authentication mode="Forms">
    <forms loginUrl="~/Account/Login" timeout="2880" enableCrossAppRedirects="false" domain=".mydomain.com" />
    </authentication>



    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, July 2, 2014 6:31 AM