Securing Forms Authentication
In ASP.net, forms authentication uses an authentication ticket to authenticate the users. This ticket is created when a user logs on to a site. Normally the ticket is stored inside a cookie. However, you still can pass the ticket in a query string for the cookiless browsers.
This authentication ticket will be used for the user in submitting subsequent requests to the web server that, which in the same session. So, implement security mechanism to protect the authentication ticket is very important in order to prevent any compromise on the authentication process. For example, elevation of priviledges, session hijacking are some of the vulnerabilities will be exposed to the attackers.
Here are few methods that you can use to secure your forms authentication.
1. Use Hashed MACs (HMACs), either SHA1 or MD5 to ensure tamper-proofing. A hashed message authentication code (HMAC) is generated from the ViewState content and the hash is compared on subsequent requests. By using this, any changes have been made on the authentication ticket wil be detected at the server.This will cause an exception being thrown if it has been modified.
- Check that the protection attribute of the <forms> element to All
<forms ... protection="All" ... />
- Check the validation attribute of the <machineKey> element
<machineKey ... validation="SHA1" ... />
[The validation attribute specifies the hashing algorithm used by the HMAC algorithm used to tamper proof the forms authentication ticket. Use the default SHA1 setting because this produces a larger hash than MD5 and is cryptographically stronger.]
- Review the validationKey attribute of the <machineKey> element
<machineKey validationKey="AutoGenerate,IsolateApps" ... />
[The AutoGenerate setting will generate a random key. The IsolateApps modifier causes ASP.NET to generate a unique key for each application on your server by using the application ID of each application. ]
2. Encrypt the Authentication Ticket. Encryption to turn the ticket contents into unintelligible cipher text
<machineKey
validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
validation="AES"
decryption="Auto" />
- Use the decryption attribute of the <machineKey> element to specify the encryption algorithm.
- With the default Auto setting, if the value of the decryptionKey attribute is 8 bytes long (16 characters) then Auto defaults to DES.
3. Use SSL to Protect Authentication Tickets, to prevent forms authentication cookies from being tampered with while crossing the network.
- Set requireSSL="true" on the <forms> element
<forms loginUrl="Secure\Login.aspx" requireSSL="true" ... />
[If you are using cookieless sessions, you must ensure that the authentication ticket is never transmitted across an unsecured channel]
4. Partitioning Your Web Site. Try to structure your Web site so that the secure pages that require authenticated access are placed in a subdirectory.
- In Microsoft Internet Information Services (IIS), configure the secure folder to require SSL. This sets the AccessSSL=true attribute for the folder in the IIS Metabase
- Use an <authorization> element to ensure that only authenticated users can access secure pages.
<location path="Secure" >
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
5. Enforce Password Complexity Rules by configuring the precise password complexity rules enforced by your provider
- passwordStrengthRegularExpression. The default is "" .
- minRequiredPasswordLength. The default is 7.
- minRequiredNonalphanumericCharacters. The default is 1.
6. Validating Strong Passwords to be created by users. You can set its PasswordRegularExpression property to an appropriate regular expression: ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,10}$
7. Perform Effective Data Validation to minimize the possibility of Cross-site scripting and SQL injection by setting that the ValidateRequest attribute is set to true.
<%@ Page language="c#" Codebehind="LoginForm.aspx.cs" ValidateRequest="true" ... %>