asp.net mvc - Security problems with autologin and FormsAuthenticationTicket -
im using autologin on mvc 3 website.
how best handle problem:
a user signs in @ own computer (and gets 30 day cookie)
same user signs in @ friends computer (and gets 30 day cookie)
its possible autologin in @ both computers. user realizes , changes password friend still able autologin computer until cookie expires.
how best handle this?
i of course set @ date on user when password changed , check against date in cookie.
or missing something?
i know you're saying, think you're implying association between "remember me" function , "password change" function in practice, isn't there. auth token when authenticating not tied value of password (i.e. when using membership provider), after all, you're logically keeping identity authenticated across sessions , in regard, works fine.
to honest, sounds more of user behaviour problem technology problem. in use case, consciously asking browser allow them remain authenticated long period of time , doing on machine have no control over. of course i'm assuming have "remember me" checkbox , if don't, there's answer right there.
the other thing might want @ owasp talks in part 3 of top 10 - broken authentication , session management. link put in .net context in short, talks lot reducing opportunity you're describing happen things eager session expiration, disabling sliding sessions , giving end users control expire token @ session expiration , log out @ time.
Comments
Post a Comment