Do ASP.NET forms authentication cookies provide any protection against replay attacks? Do they, for example, include the client's IP address or anything else that would distinguish the real client from an attacker?
- 1 Answers
- 1277 Views
- I also Faced
- E-Mail Answers
Answer Posted / surendra singh
No. If an authentication cookie is stolen, it can be used by an attacker. It's up to you to prevent this from happening by using an encrypted communications channel (HTTPS). Authentication cookies issued as session cookies, do, however,include a time-out valid that limits their lifetime. So a stolen session cookie can only be used in replay attacks as long as the ticket inside the cookie is valid. The default time-out interval is 30 minutes.You can change that by modifying the timeout attribute accompanying the <forms> element in Machine.config or a local Web.config file. Persistent authentication cookies do not time-out and therefore are a more serious security threat if stolen.
| Is This Answer Correct ? | 0 Yes | 0 No |
Post New Answer View All Answers
What is the flow of processing of the request? : asp.net mvc
What is HTTPModule and HTTPcontext? What is the use of each?
What is .net remoting?
Which data type does the rangevalidator control support?
What is Razor View Engine
What is the difference between trace and debug in asp.net?
What is ascx?
What is event in asp.net?
How ASP and ASP.NET page works? Explain about asp.net page life cycle?
Can you dynamically assign a Master Page?
What is difference between View State and Hidden Field in ASP.NET?
Why asp.net is better than php?
What is the difference between user control an custom control?
Is asp.net easy to learn?
Can you explain one critical mapping? Performance issue which one is better? Whether connected lookup tranformation or unconnected one?
