Q1 – Forms authentication module encrypts its authentication information ( ticket ) before placing it in a cookie.
Now, little I know of encryption algorithms is that they usually use some randomly generated value to encrypt and decrypt a piece of data. Thus if same algorithm uses value A to encrypt some data, then it will also need same value in order to be able to decrypt this data.
A) Since several users could be logged on ( via Forms authentication module ) to a particular web application, will authentication information for each of these users be encrypted with the same randomly generated value?
- If yes, then doesn’t that represent a security risk?
- If no, then when upon next request Asp.Net receives the authentication cookie ( which contains the ticket )from the user, how will it know which randomly generated value it used to encrypt the ticket ( I’m assuming it needs this same value to decrypt the ticket )
Q2
Authentication ticket contains several pieces of information about the authenticated user, but which piece of these data actually tells Asp.Net ( when user again requests a page ) that it is dealing with already authenticated user?
thanx
Best Answer
Q1: Forms authentication uses machineKey to encrypt the cookie. Since its value is constant in machine.config ASP.NET is able to decrypt cookies encrypted with the same key.
The cookies are encrypted with the same key but this key is known only to the server, which means that the user cannot tamper with the data of the cookie and thus cannot impersonate another user, so it is not a security risk to use the same private key to encrypt cookies.
Q2: The ticket contains the following information: the username and a date which is used to determine if it is valid (if sliding expiration is set, ASP.NET could rewrite the cookie as it checks its validity on every request). If the cookie is sent by the client and when it gets decrypted it is still valid, ASP.NET assumes that the client is authenticated.