[lnkForumImage]
TotalShareware - Download Free Software
Confronta i prezzi di migliaia di prodotti.
Asp Forum
 Home | Login | Register | Search 


 

Forums >

microsoft.public.dotnet.framework.aspnet.security

Security Expoit (FormsAuthentication.SignOut()) Does not Work

Ali

1/28/2004 8:39:00 PM

Our security people have been able to copy and use the FormsAuthentication
cookie. Our Authetication cookie is based on an encrypted ticket and we use
FormsAuthentication.SignOut() when users loggout or kill their session, but
apparently the secure ticket does not get removed from the server by
FormsAuthetication.SignOut().

We have been able to time-out the ticket on the server, but we need to be
able to remove the ticket at any time.

This is our logout procedure:

FormsAuthetication.SignOut()
Session.Abandon()
Response.Redirect("Autheticate.aspx")

Thanks

Ali
3 Answers

Keith

2/1/2004 5:37:00 AM

0

Don't persist the ticket and your problem will be
solved. Dig through your code and look for the line
similar to:

Dim authTicket as FormsAuthenticationTicket = new
FormsAuthenticationTicket(1, _
"Some
user",DateTime.Now, DateTime.Now.AddMinutes(20),
false, "")

Notice the false in the 4th parameter. That false means
to not store the ticket in a cookie on the users machine.

Good luck.

>-----Original Message-----
>Our security people have been able to copy and use the
FormsAuthentication
>cookie. Our Authetication cookie is based on an
encrypted ticket and we use
>FormsAuthentication.SignOut() when users loggout or kill
their session, but
>apparently the secure ticket does not get removed from
the server by
>FormsAuthetication.SignOut().
>
>We have been able to time-out the ticket on the server,
but we need to be
>able to remove the ticket at any time.
>
>This is our logout procedure:
>
>FormsAuthetication.SignOut()
>Session.Abandon()
>Response.Redirect("Autheticate.aspx")
>
>Thanks
>
>Ali
>
>
>.
>

Patrick Keenan

1/29/2009 9:34:00 PM

0


"Bent Attorney Esq." <parkstreetbooboo@gmail.com> wrote in message
news:73fb4fa7-c880-47e6-ab2f-3f5e7fb17180@b16g2000yqb.googlegroups.com...
On Jan 29, 2:47 pm, "Patrick Keenan" <t...@dev.null> wrote:
> "Bent Attorney Esq." <parkstreetboo...@gmail.com> wrote in
> messagenews:84bff8a5-d8d8-4dc1-b19f-a3b2f9d9be92@e18g2000vbe.googlegroups.com...
> On Jan 29, 12:48 pm, "Patrick Keenan" <t...@dev.null> wrote:
>
>
>
> > "Bent Attorney Esq." <parkstreetboo...@gmail.com> wrote in
> > messagenews:9786b906-1cd4-4af2-ad6b-05d8469c3fef@p37g2000yqd.googlegroups.com...
> > and gets a new jethttp://drorly.blo...
> > scroll down or read this:
>
> > Nanci Pelosi, from reader James Canon
> > Remember the big flap about Sarah Palin's dress? Americans! Where are
> > you? Are you awake? We haven't heard any comment on "Queen Madam"
> > Pelosi's snit about having to ride home in the small private, economy
> > jet that comes with the Speaker's job. Remember how Madame Pel's was
> > so aggravated that this little jet had to refuel while transporting
> > her to California every week? Remember that she insisted on a
> > luxurious 200 seat jet to fly her to California nonstop, instead?
> > Hello Folks! Are you awake? Can you muster even a little indignation?
> > ===================
> > <snippage>
>
> > Perhaps it might be better to muster a little bit of fact-checking, such
> > as
> > what is conveniently contained
> > here:http://www.snopes.com/politics/pelo...
>
> > where we find that....
>
> > 1) Ms. Pelosi did *not* request a larger jet. The request, which was
> > *not
> > a demand*, came from the House Sgt. at Arms, for security and safety
> > reasons, which apply to *anyone* holding an office at that level.
>
> > 2) The previously used smaller planes require ideal weather to make this
> > trip without refuelling, and ideal weather is not always in stock;
>
> > 3) The "luxurious" jet is a military aircraft, based on a 737, and it
> > does
> > not seat 200. At most, it can seat 121 and carry 20 tons of cargo;
>
> > 4) And it's likely that Ms. Pelosi is not the only occupant of the craft
> > when it flies.
>
> > In short, the story posted is a work of fiction, based rather loosely on
> > a
> > real event. The essential points in the complaint, however, are
> > fabrications.
>
> > And so we see that the "bent attorney" really just is not very good at
> > research.
>
> > I wonder if he believed the story he posted.
>
> > Hope this helps.
> > -pk
>
> Bullshit. You have yet to prove your accusations P. Lousy lover. So
> she has to refuel? So what? She should live in Washington and fly
> home on her own hook in the first place. But you're a lover of
> corrupt government, and you'll defend them in all of their corrupt
> splendor.
> ===================
>
> You didn't actually read the Snopes article, did you?
>
> And it looks like you *did* fall for the crap you posted.
>
> -pk

Crap? She sits her royal ass down on a seat whose price is
ridiculous, and you call my posting crap?
You need your head examined Mr. government ass kisser.
===========

You didn't actually read the Snopes article, did you?

And yes, what you posted is crap, because it makes flat-out wrong claims.
It has a number of extremely basic and easily checked errors in fact.

Ms. Pelosi did not initiate, request or demand the change in aircraft.

The change in transport policy, which was not initiated by Ms. Pelosi,
applies to any official at that level, regardless of party affiliation.

http://www.cnn.com/2007/POLITICS/02/09/pelosi.plane/...
"WASHINGTON (CNN) -- House Speaker Nancy Pelosi did not request a larger
plane for personal use to travel cross-country without stopping, Bill
Livingood, the House sergeant at arms, said Thursday.
Livingood said the request was his, and he made it for security reasons.

"The fact that Speaker Pelosi lives in California compelled me to request an
aircraft that is capable of making non-stop flights for security purposes,
unless such an aircraft is unavailable," Livingood, who has been at his post
for 11 years, said in a written statement.

"I regret that an issue that is exclusively considered and decided in a
security context has evolved into a political issue," the statement said."


In fact, Ms. Pelosi is on record as having said she'd use commercial
transport, and has done so many times, but this is now restricted by
security policies she didn't write.

http://blogs.suntimes.com/sweet/2007/02/pelosi_on_plane_flap_all_...
""And that's why all of this misinformation is a mystery that it has taken
on this life. It serves somebody's purpose to do this. But I'm happy to fly
commercial. I've probably have made - are you ready for this - I've probably
made 1,000 commercial flights between California and Washington, D.C. in the
time that I have been in the Congress, That's a lot of mileage plus."
[...]
Pelosi. Well first of all, let me say that all of this springs from the
Sergeant at Arms office, which is in charge of security for Members of
Congress and the Speaker of the House. For matters of security, the Sergeant
at Arms has said that he wanted the practice to continue, that what was
applied to Mr. Hastert, the Speaker of the House since 9/11, to have
transportation to and from home to be provided.

I have never asked for any larger plane. I have said that I am happy to ride
commercial if the plane they have doesn't go coast to coast. I'm happy to
ride commercial coast to coast that way. We've never asked for a larger
plane - this is a myth that [the Republicans] are talking about on the
floor. They have nothing to say to the American people about the war, the
economy, global warming, and the rest. So they have this game they're
playing. "

And it was *so* easy to check the accuracy of what you posted... but that's
apparently too much for you.

So yes, what you posted is clearly crap.

Hope this helps.
-pk

B. Cramer

1/30/2009 6:09:00 AM

0


"Patrick Keenan" <test@dev.null> wrote in message
news:AKmdnQeNOIWklR_UnZ2dnUVZ_uKWnZ2d@supernews.com...
> "Bent Attorney Esq." <parkstreetbooboo@gmail.com> wrote in message
> news:84bff8a5-d8d8-4dc1-b19f-a3b2f9d9be92@e18g2000vbe.googlegroups.com...
> On Jan 29, 12:48 pm, "Patrick Keenan" <t...@dev.null> wrote:
>> "Bent Attorney Esq." <parkstreetboo...@gmail.com> wrote in
>> messagenews:9786b906-1cd4-4af2-ad6b-05d8469c3fef@p37g2000yqd.googlegroups.com...
>> and gets a new jethttp://drorly.blo...
>> scroll down or read this:
>>
>> Nanci Pelosi, from reader James Canon
>> Remember the big flap about Sarah Palin's dress? Americans! Where are
>> you? Are you awake? We haven't heard any comment on "Queen Madam"
>> Pelosi's snit about having to ride home in the small private, economy
>> jet that comes with the Speaker's job. Remember how Madame Pel's was
>> so aggravated that this little jet had to refuel while transporting
>> her to California every week? Remember that she insisted on a
>> luxurious 200 seat jet to fly her to California nonstop, instead?
>> Hello Folks! Are you awake? Can you muster even a little indignation?
>> ===================
>> <snippage>
>>
>> Perhaps it might be better to muster a little bit of fact-checking, such
>> as
>> what is conveniently contained
>> here:http://www.snopes.com/politics/pelo...
>>
>> where we find that....
>>
>> 1) Ms. Pelosi did *not* request a larger jet. The request, which was *not
>> a demand*, came from the House Sgt. at Arms, for security and safety
>> reasons, which apply to *anyone* holding an office at that level.
>>
>> 2) The previously used smaller planes require ideal weather to make this
>> trip without refuelling, and ideal weather is not always in stock;
>>
>> 3) The "luxurious" jet is a military aircraft, based on a 737, and it
>> does
>> not seat 200. At most, it can seat 121 and carry 20 tons of cargo;
>>
>> 4) And it's likely that Ms. Pelosi is not the only occupant of the craft
>> when it flies.
>>
>> In short, the story posted is a work of fiction, based rather loosely on
>> a
>> real event. The essential points in the complaint, however, are
>> fabrications.
>>
>> And so we see that the "bent attorney" really just is not very good at
>> research.
>>
>> I wonder if he believed the story he posted.
>>
>> Hope this helps.
>> -pk
>
> Bullshit. You have yet to prove your accusations P. Lousy lover. So
> she has to refuel? So what? She should live in Washington and fly
> home on her own hook in the first place. But you're a lover of
> corrupt government, and you'll defend them in all of their corrupt
> splendor.
> ===================
>
> You didn't actually read the Snopes article, did you?
>
> And it looks like you *did* fall for the crap you posted.

What makes you think the Snopes article is kosher, keenan?

Prove it is kosher, keenan.