81

While working with ASP.Net Forms Authentication I came across the .ASPXAUTH cookie. I have a couple questions:

  • What is the purpose of this cookie?
  • What is the location of this cookie?
Joel Beckham
  • 16,924
  • 3
  • 31
  • 58
balaweblog
  • 13,736
  • 28
  • 70
  • 93

3 Answers3

87

The ASPXAUTH cookie is used to determine if a user is authenticated.

As far as the location of the cookie, that depends on your browser. If you are using Firefox you can view the cookie by clicking on Tools -> Options -> Privacy. Then scroll down to the domain and expand it to see the cookie and its value. The value is encrypted using the machine key (located in the server's machine.config or web.config file) so looking at the cookie on the client won't really provide you any information. You can decrypt/view the value on the server side using:

HttpCookie authCookie = Request.Cookies[FormsAuthentication.FormsCookieName];//.ASPXAUTH
FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value);

where authTicket has these fields:

enter image description here

The statement "ASPXAUTH is basically used to maintain ASP.NET Session State" is incorrect. ASP.NET issues an entirely different cookie, named ASP.NET_SessionId, to track session state.

wal
  • 16,300
  • 7
  • 69
  • 104
Todd
  • 28,050
  • 4
  • 20
  • 13
  • 2
    On Firefox v8.0 the cookies can be found as follows: Tools -> Page Info -> Security -> View Cookies – Anthony Nov 25 '11 at 09:51
  • In the same security tab there is a "View Saved Passwords" button and to my surprise I was able to see all the passwords as plain text for various websites I was browsing using firefox. Though browser must be storing it in an encoded format on disk and it just shows for your reference by decoding it but this option is really a security threat as much as I can think. If any hacker can employ the same algorithm and read those cookies using javascript although leakage of that algorithm is a distant possibility as it might be involving some key as well which is known only to the browser code. – RBT Jan 26 '15 at 03:39
  • To get name of key used for storing asp.net session id in http request's cookie collection here is the C# code: var aspNetSessionState = new System.Web.Configuration.SessionStateSection(); var aspNetSessionCookieName = aspNetSessionState.CookieName; – RBT Jan 26 '15 at 04:06
  • In `Application_PostAuthenticateRequest` the _Request.IsAuthenticated_ is true but ***.ASPXAUTH*** not value in my HttpContext.Current.Request.Cookies. I use sessionState. – Kiquenet May 17 '16 at 14:02
  • 1
    I created a MVC project, run it. Register account and then login. And inspect the cookies in chrome dev tool there was a Aspnet.ApplicationCookie. And then added one line in login action : FormsAuthentication.SetAuthCookie(model.Email, true); and again login and inspected the cookies in chrome dev tool this time obviously it was ASPXAuth. So whats the difference in both? –  Jan 08 '17 at 18:46
12

Actually the .ASPXAUTH cookie does not accurately tell you when the user is truly authenticated. When the user logs out of the app, the .ASPXAUTH cookie is removed from the browser. However, if you go back to the site within a short period of time (with timeout of form auth cookie), and edit the new ASP.NET_SessionId cookie's with the following:

  • change "name" field from "ASP.NET_SessionId" to ".ASPXAUTH"
  • change "value" from 24 char sessionID to old 448 char authentication string

After refresh you will be able to assume the identity of the authenticated user without technically re-authenticating again. (again assuming you do this within the specificied timeout stored within the .ASPXAUTH encrypted auth string)

A good blog post explains the problem in more detail. A possible solution is to couple the .ASPXAUTH with the ASP session.

Community
  • 1
  • 1
Robert
  • 121
  • 1
  • 2
0

If a user's interactions with the HTML login URL have allowed the TSWPPserver to establish the user’s identity, the remote server SHOULD generate a cookie that identifies the user and allows authentication to the server. The contents of the cookie SHOULD be signed and encrypted. The specific implementation of this cookie including the signing and encryption algorithms is dependent on the implementation of the TSWPP server, because only the server is required to parse the contents of the cookie. If the server implements the cookie, then the cookie MUST be returned in an HTTP payload with a Content-Type of "application/x-msts-webfeed-login".

http://msdn.microsoft.com/en-us/library/ee920427.aspx

Cruiser KID
  • 1,140
  • 1
  • 11
  • 25