Possible disadvantages of using cookieless forms authentication ticket in Asp.Net
-
30-05-2021 - |
Pregunta
If I use
<authentication mode="Forms">
<forms
cookieless="UseUri"
slidingExpiration="true"
timeout="60"
/>
</authentication>
Once you have made this change.When visiting as an anonymous user, the URLs will look exactly like they did before. For example, when visiting Default.aspx page my browser's address bar shows the following URL:
http://localhost:2448/default.aspx
However, upon logging in, the forms authentication ticket is embedded into the URL. For example, after visiting the login page and logging in as Sam, I am returned to the Default.aspx page, but the URL this time is:
http://localhost:2448/(F(jaIOIDTJxIr12xYS-VVgkqKCVAuIoW30Bu0diWi6flQC-FyMaLXJfow_Vd9GZkB2Cv-rfezq0gKadKX0YPZCkA2))/default.aspx
Note: cookieless authentication tickets are more prone to replay attacks since the authentication ticket is embedded directly in the URL. Imagine a user who visits a website, logs in, and then pastes the URL in an email to a colleague. If the colleague clicks on that link before the expiry is reached, they will be logged in as the user who sent the email!
This is one possible drawback if I use cookieless authentication ,I am interested in knowing other possible drawbacks of this approach.
Thanks
Solución
Disadvantages:
- limited amount of data that can be stored in the URL (especially in mobile and Windows 2003 platform)
- Cookie replay attack (that you already mentioned) - can be avoided using ssl, and limited using timeout.
- Your URL looks long and not "neat".