Hi All,
Formauthentication cookie hacked on my production site. Please suggest me.
1. In web.config file, I am using below:
<forms defaultUrl="home.aspx" loginUrl="default.aspx" name="EncCk" slidingExpiration="false" timeout="60" protection="All" />
<machineKey
validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
decryption="Auto"
validation="SHA1" />
During Login, saving userid in the authentication cookie:
FormsAuthentication.SetAuthCookie(userid.ToString(), false);
------------------------------------------------------------------------------------------------
My issue is when I login with my user I can see cookie in the browser, I copy my cookie, below is the cookie:
<div selected="selected" class="cookieInfoValueText cookieInfoText "></div>FC38C68D1E4D62A2D736D0D6D1CDFCFB8BA8A6E962902026CECE3CF2E6F1E81C578ECBD94CBFB6DAA8C976FBA2CFBFAB06494B2A267523F3624D4316EB4A4801F3FC4B4A1B202EA11D2134512CEAF87BFA60C1FA2869B59335E2B74AD59F0580376ACDEF
And I logged out with my user and Then I login with different user and paste the above cookie in the browser cookie andnow I can see my user is coming. I am login with another user but i can make all the changes from my user. HOW ?
How to validate authentication cookie even If hacker knows the cookie data of another user.