I have a question regarding Form authentication cookie vulnerability. In JavaScript we can use document.cookie to access form authentication cookie value (assuming it is not httponly). This value is encrypted. I have read in many blogs that if someone get’s this value our security is breached. My question is how can he(attacker) breach it(the credentials inside the cookie) since the form authentication encryption method uses machine key to encrypt that cookie, so to decrypt it, the same machine key would be needed? Isn’t that so? Can you clarify me on this that how that cookie value is vulnerable since the attacker should have my machine key with him only then he can decrypts it? Am I right here?
I have a question regarding Form authentication cookie vulnerability. In JavaScript we can use
Share
He doesn’t have to decrypt the encrypted cookie. He could just use the encrypted value of the cookie and become you.
The server does the encryption, so it doesn’t know that the browser giving it the cookie was who the cookie was originally issued to.
Using an extension like Modify This Cookie (or anything else that achieves that functionality) would allow me to set my cookie to your encrypted value if I were able to obtain it.
Ironically, the very same question was asked about StackOverflow. Have a look at Troy’s post for further information.