Posts Tagged ‘Cookies’

Securing Cookies Data

Posted by Ramani Sandeep on July 30, 2009

Introduction

I really have some good laughs when I tamper with cookies on my machine and watch the results when it is submitted back to the site. On the other hand, I don�t want any one to do the same to the cookies that I make!

Cookies, most of the times, shouldn�t be in plain text, at least, they should be tamper-proof! Revealing the content of your cookies might give curious and malicious people an idea about your application�s architecture, and that might help hacking it.

ASP.NET encodes and hashes its authorization ticket, making it secure and tamper-proof. However, the methods used to secure authorization cookies are inaccessible from outside the .NET framework libraries, so you can�t protect your own cookie using these methods; you need to protect it yourself using your own encryption key, encoding and hashing algorithms. HttpSecureCookie works around this by accessing the same methods ASP.NET uses for cookie authorization.

Of course, you shouldn�t save valuable information in your cookies, but if you have to, then this library is at your disposal.

Background

Before you start using this code, if you do not know what MachineKey is, I highly recommend checking this MSDN article: How To: Configure MachineKey in ASP.NET 2.0.

ASP.NET uses the System.Web.Security.CookieProtectionHelper internal class to decode and encode the content of a cookie before submitting it to the client. This class is based on the MachineKey. I wonder why Microsoft kept this class internal!?

To be able to access this internal class, I had to use reflection to be able to access the Decode and Encode methods of CookieProtectionHelper.

Eric Newton has a similar and good article on CP: Encrypting cookies to prevent tampering. However, that code is made for .NET 1.1 and it doesn’t work with .NET 2.0 (but it does with some modifications); moreover, its resulting cipher text is in binary format versus being in encrypted format, and I don’t know if this is a security risk. Also, I am accessing a higher level class System.Web.Security.CookieProtectionHelper than the one used by that article, System.Web.Configuration.MachineKey, to obtain the cryptography service, and that saved me time by not writing some low level code.

There is also another available method for encoding cookies, by using the FormsAuthenticationTicket and FormsAuthentication.Encrypt; for more information, check the section "Creating the Forms Authentication Cookie" on Explained: Forms Authentication in ASP.NET 2.0. However, I believe, the method mentioned in this article is more flexible.

Click here to Read more….

Posted in ASP.NET | Tagged: Cookies, Secure Cookies Data, Securing Cookies Data | Leave a Comment »

How do we create,Read,Delete Cookies in Asp.net

Posted by Ramani Sandeep on July 3, 2009

A cookie is a small bit of text file that browser creates and stores on your machine (hard drive). Cookie is a small piece of information stored as a string. Web server sends the cookie and browser stores it, next time server returns that cookie.Cookies are mostly used to store the information about the user. Cookies are stores on the client side.

Here i m going to explain you by providing example of Remember me Code :

Step 1 : if check box is checked for “Remember Me” then create cookie else Delete it.

if (chkRememberMe.Checked == true)
                    {
                        //Create Cookie to Store AdminInfo
                        HttpCookie aCookie = new HttpCookie("AdminInfo");
                        aCookie.Values["userName"] = txtUsername.Text;
                        aCookie.Values["Password"] = txtPassword.Text;
                        aCookie.Values["lastVisit"] = DateTime.Now.ToString();
                        aCookie.Expires = DateTime.Now.AddDays(10);
                        Response.Cookies.Add(aCookie);
                    }
                    else
                    {
                        //Delete Cookie
                        HttpCookie aCookie = new HttpCookie("AdminInfo");
                        aCookie.Expires = DateTime.Now.AddDays(-1);
                        Response.Cookies.Add(aCookie);
                    }

Step 2 : now check cookie is null or not in page load event & set username & password from cookie

protected void Page_Load(object sender, EventArgs e)
   {
       if (!IsPostBack)
       {
           if (Request.Cookies["AdminInfo"] != null)
           {
               txtUsername.Text = Request.Cookies["AdminInfo"]["userName"] == null ? null : Request.Cookies["AdminInfo"]["userName"].ToString();
               string pwd = Request.Cookies["AdminInfo"]["Password"] == null ? null : Request.Cookies["AdminInfo"]["Password"].ToString();
               txtPassword.Attributes.Add("value", pwd);
           }
       }

}

Technorati Tags: Remember Me Code

Posted in ASP.NET | Tagged: Cookies | Leave a Comment »

	John on How to dynamically adjust an i…
	mik on Image Upload and Resize
	K.Nehru on Capture web page as image usin…
	Viju on Capture web page as image usin…
	Naresh on File Upload Control is not wor…

Ramani Sandeep's Blog

DotNetting – Fast , Easy Way of Developing Applications

Top Posts

Categories

New Posts

Archives

My Twitter

Blog Stats

Subscribe

Visitor Map

Useful links

Tags