0

I have a list of subdomains on my site that a user can select. I want to create an auth cookie for the subdomain they select only, not all of the subdomains Assuming my site is mysite.com then the user could see

  • domainOne.mysite.com
  • domainTwo.mysite.com

When they've selected their subdomain I do the following in the controller action

var faCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket)
faCookie.HttpOnly = true
faCookie.Domain = (subdomain + ".mysite.com")
faCookie.Secure = FormsAuthentication.RequireSSL
response.Cookies.Add(faCookie)
return this.Redirect("http://" + subdomain + ".mysite.com")

where encTicket is just some encrypted user information

In fiddler I see this as the response

HTTP/1.1 302 Found
Cache-Control: private, s-maxage=0
Content-Type: text/html; charset=utf-8
Location: http://domainOne.mysite.com
Server: Microsoft-IIS/8.0
X-AspNetMvc-Version: 4.0
X-AspNet-Version: 4.0.30319
Set-Cookie: .ASPXAUTH=9ECF5B2533<snip>; domain=domainOne.mysite.net; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Fri, 19 Jul 2013 04:19:02 GMT
Content-Length: 142

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://domainOne.mysite.net">here</a>.</h2>
</body></html>

ok so all looks good to me here. The repsonse is telling the browser to add a cookie for the subdomain. The subsequent GET based on the redirect however does not have the cookie at all in its request.

Is there some trickery that I'm missing? Just to be clear I don't want to create a cookie for the root (.mydomain.com) as that would give authentication across all subdomains.

Thanks for any help

Dylan
  • 1,276
  • 11
  • 29

1 Answers1

1

I have good news and bad news.

The bad news is-- you can't do it. See here for an explanation. Essentially your server is setting a cookie for a domain it does not contain, so the cookie is rejected.

The good news is-- you don't want to do this anyway. Your design violates OWASP 2013 A4 (unsecure and unvalidated direct object reference). In this case you are storing user's access permissions as the domain of the cookie, which a hacker can easily modify.

Find a different way to designate subdomain access. There are all kinds of ways to do this.

Here is one way that is pretty close to your plan:

Store the subdomain in the cookie value itself. Create a secure document container that lists the subdomains to which the user is granted access. You could for example store the subdomains as a comma-delimited string followed by an HMAC that prevents a malicious user from tampering with the list.

    var contents = "subdomain1.domain.com,subdomain2.domain.com";
    var bytes = System.Text.Encoding.UTF8.GetBytes(contents);
    var hash = System.Web.Security.MachineKey.Encode(bytes,
                     Web.Security.MachineKeyProtection.Validation);
    var cookie = new HttpCookie("MYCOOKIE", contents + "|" + hash);
    cookie.domain = "domain.com";

When the subdomain site receives a request, it'll have to look for the cookie, check the hash to validate the cookie, then check the payload to see if access should be granted.

    var cookie = Request.Cookies["MYCOOKIE'];
    var chunks = cookie.Value.Split("|");
    var list = chunks[0];
    var hash = chunks[1];
    var bytes = System.Text.Encoding.UTF8.GetBytes(contents);
    var checkHash = System.Web.Security.MachineKey.Encode(bytes,
                     Web.Security.MachineKeyProtection.Validation);
    if (checkHash != hash) throw new System.SecurityException("Someone tampered with the cookie!");
    var subdomains = list.split(",");
    if (!subdomains.Contains(MY_SUBDOMAIN))  throw new System.SecurityException("Someone is using their cookie to access the wrong domain!");

Another method would be to store the list of granted subdomains in a database on the server side, associate the list with a token, and pass the token in the cookie. This method would be somewhat more secure because the access list is never passed over the wire.

A third method would be to build out a real SAML-based SSO infrastructure, but that is sort of involved.

Community
  • 1
  • 1
John Wu
  • 44,075
  • 6
  • 37
  • 69
  • John, does this security feature also apply to a cookies aware webrequest? – Stephan Luis Mar 08 '16 at 22:46
  • John, does this UA cookie rejection feature also apply to a cookies aware webrequest? Like http://stackoverflow.com/questions/17183703/using-webclient-or-webrequest-to-login-to-a-website-and-access-data ? I'm trying to use this method to login a user on my landing page (set the cookie) and redirect to the dashboard. – Stephan Luis Mar 08 '16 at 22:56
  • Not necessarily. If you write the WebRequest code, you can dictate how cookies are accepted and rejected. You could accept everything from everyone, if you want. – John Wu Mar 11 '16 at 01:34
  • John: The scenario is a login from one app to another. With the webrequest I get the auth cookie from (my) second server, but haven't figured out how to 'apply' it to the redirect (post) to the users home page generated back on the second server. Have you seen a good reference for this for me to read or, if it's easy enough can you explain how it's done? Thx – Stephan Luis Mar 14 '16 at 21:40
  • I suggest you start another Stackoverflow question for that. – John Wu Mar 15 '16 at 00:48