Main Content

Why ASP.NET forms authentication is broken, and what to do about it

About the Talk

July 18, 2012 12:30 PM

Virtual

Virtual

ASP.NET forms auth is subtly broken in a way that can cause problems for applications in general and in particular for ones running on multiple machines in load-balanced setups and web farms such as the one found on AppHarbor's cloud platform. These problems include:

  • Machinekeys are regenerated on app-pool recycles, invalidating sessions
  • Machinekeys have to be the same for sessions to work across multiple web workers
  • Session-cookie encryption changes surprisingly often with updates from Microsoft, causing sessions to become invalid

In this talk we'll explore these problems in greater detail and then go on to demo how to implement your own session management that is secure and durable.

[The first part of the talk is loosely based on this blog post: http://blog.appharbor.com/2012/02/22/asp-net-forms-authentication-considered-broken]

Ratings and Recommendations

This Talk hasn't been rated yet. Sign In to rate Talks.

comments powered by Disqus