Session Hijacking

 Is it possible to steal a cookie and authenticate as an administrator?

Yes it is possible, if the Forms Auth cookie is not encrypted, someone could hack our cookie to give themselves elevated privileges or if SSL is set to not required, copy some other person's cookie.

Encrypting the session value will have zero effect. The session cookie is already an arbitrary value, encrypting it will just generate another arbitrary value that can be sniffed.

 However, there are steps we can take to mitigate these risks:

On the system.web/authentication/forms element:

1. requireSSL=true. This requires that the cookie only be transmitted over SSL
2. slidingExpiration=false. When true, an expired ticket can be reactivated.
3. cookieless=false. Do not use cookieless sessions in an environment where are you trying to enforce security.
4. enableCrossAppRedirects=false. When false, processing of cookies across apps is not allowed.
5. protection=all. Encrypts and hashes the Forms Auth cookie using the machine key specified in the machine.config or web.config. This feature would stop someone from hacking their own cookie as this setting tells the system to generate a signature of the cookie and on each authentication request, compare the signature with the passed cookie.

Note: If you so wanted, you could add a small bit of protection by putting some sort of authentication information in Session such as a hash of the user’s username (Never put the username in plain text or their password). This would require the attacker to steal both the Session cookie and the Forms Auth cookie.

Currently in portal cookie expiration is 1 year for users who have checked “Save Your User Name on This Computer” this has to be set to shorter period.

Links referred are below:

http://msdn.microsoft.com/en-us/library/1d3t3c61.aspx

http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.requiressl.aspx

Generic Methods: Generic Method

Generic Method: " Generic in C# means common to or applicable to an entire class. As m..."

UML: UML Intro UML stands for Unified Modeling Languag...

UML: UML Intro UML stands for Unified Modeling Languag...: "UML Intro UML stands for Unified Modeling Language. UML is a graphical language for visualizing, specifying, constructing & documenting th..."

Microsoft Web Farm Framework

Microsoft Web Farm Framework for IIS7 enables administrators to provision, scale and manage their web infrastructure

Microsoft has released Web Farm Framework Beta, which enables us to easily provision and manage a farm of web servers. It enables to automate the installation and configuration of platform components across the server farm, and enables to automatically synchronize and deploy ASP.Net applications across them. It also supports integration with load balancers, enables to automate update across our servers so that our site/ application is never down or unavailable to customers.

Web Farm Framework can be used to :

• Provision web platform and content
• Scale web infrastructure and resources using ARR and 3rd party load balancers
• Manage multiple servers or a farm using a unified interface

Using Web Farm Framework to Provision and Scale a Web Farm

The Microsoft Web Farm Framework enables you to easily define a “Server Farm” that you can add any number of servers into. Servers participating in the “Server Farm” will then be automatically updated, provisioned and managed by the Web Farm Framework.

What this means is that you can install IIS (including modules like UrlRewrite, Media Services, etc), ASP.NET, and custom SSL certificates once on a primary server – and then the Web Farm Framework will automatically replicate and provision the exact same configuration across all of the other web servers in the farm (no manual or additional steps required).

You can then create and configure an IIS Application Pool and a new Site and Application once on a primary server – and the Web Farm Framework will automatically replicate and provision the settings to all of the other web servers in the farm. You can then copy/deploy an ASP.NET application once on the primary server – and the Web Farm Framework will automatically replicate and provision the changes to all of the web servers in the farm (no manual or additional steps required).

The Web Farm Framework eliminates the need to manually install/manage things across a cluster of machines. It handles all of the provisioning and deployment for you in a completely automated way.

Load Balancer Integration

In addition to making it easy to provision/deploy servers and applications, the Web Farm Framework also includes load balancer integration. Specifically, the Web Farm Framework can integrate with an HTTP load balancer so that as web servers in the farm are updated with changes, they can be automatically pulled out of a load balancer rotation, updated, and then added back in. The Web Farm Framework can also optionally update the machines one at a time – so that you always have servers available to handle heavily load. This enables you to keep your site always available during updates – without you having to write any manual scripts to control or manage the update roll-out.

The current beta of the Web Farm Framework includes built-in support for the IIS Application Request Routing (ARR) service (which supports automatic load balancing of HTTP requests across multiple machines in a web-farm). The Web Farm Framework makes it really easy to integrate your web farm of servers with ARR for load-balancing, and includes the support to automatically pull a server out of rotation as it is being updated, and then have it added back into rotation once the update is done.

The final Web Farm Framework release will enable extensibility with other load-balancing technologies as well – enabling the same ability to automatically pull/inject servers from a load balancing rotation as they are updated.

For more details you can visit Scott Gu's blog http://weblogs.asp.net/scottgu/archive/2010/09/08/introducing-the-microsoft-web-farm-framework.aspx