Thursday, November 7, 2013

MVC4 Cookie Obsfucation

When building a MVC4 application with authentication, there are two cookie values that will generally be issued by your app.

The first one has to do with forms authentication and allows the MVC framework to determine if a user is authenticated (useful for the authorize attribute, etc).  This one is, by default, set to .ASPXAUTH.

The second is used to store session state.  This is actually an IIS setting (although it can be controlled via the web config).  The default is ASP.NET_SessionId. 

When conducting a review of a site, looking at the default cookie names to get an idea of the underlying technology is one of the first things one would do.  It is a good idea for a production facing Internet site to change these defaults.  Luckily this is quite easy to do.

In order to change the forms authentication cookie name, simply add the name attribute to the forms tags in your authentication section.  For example, you could add name="myauthcookie".

See this link for more info.

In order to change the session state one, you can add a session state tag to your system.web configuration section.  In this case you will use the cookieName attribute and you can try and emulate some other webserver default.  For example, cookieName=".jessionid".

See this link for more info.