Persistent Forms Authentication Cookie Behavior

After (the application of these update(s)), visitors who have a persistent forms authentication cookie (the “remember me” scenario on login) will no longer be logged into your site – and will need to login again.  The ASP.NET Forms Authentication system by default automatically handles this scenario for you – and will redirect visitors with a pre-patch forms-authentication cookie to the login page you’ve configured for your site.  No error page is displayed – the behavior the end-user sees is the same as if the cookie had timed out.  This is a good user experience and doesn’t require you to take any additional steps to ensure un-interrupted traffic to your site.

Note: We have had a few customers report problems with persistent forms-auth cookies that turned out to be issues either in their application code, or in a third party logging component they used.  Specifically, this application code attempted its own decryption of the forms authentication cookie and threw exceptions when the cookie did not decrypt successfully. If after applying the security update you see issues with people who have saved forms authentication cookies visiting your site you might also be encountering this.  There are two ways you can fix it: 1) update your code to not throw exceptions to end-users in these cases, or 2) modify the name of the forms-auth cookie that ASP.NET’s Forms Authentication system uses.  Approach #2 is easy and doesn’t require any code changes - just modify the <forms name=".ASPXAUTH"/> configuration section in your web.config file and switch to a different cookie name.  This will prevent your code from throwing exceptions because the old cookie failed to decrypt (instead the system will ignore the old cookie and issue all new cookies under the new cookie name you’ve configured).

UPDATE 09/28/2010: 

Microsoft has released an advance notification security bulletin announcing that they are releasing an security update to address the ASP.net Security Vulnerability.   According to Microsoft, the security update is fully tested, and is scheduled for release today - Tuesday September 28th – at approximately 10:00 AM PDT.

3Essentials is reviewing the availability updates, and intends to proceed with applying them as soon as a judicious review and testing of them can be completed.  There are a multitude of updates depending on the specific combination of ASP.net versions, and operating system versions (i.e., Win2003, Win2008 Win2008 R2, etc). 

Once the update is applied to a system, the workaround previously referenced will no longer be required.  Until we have posted that the application of this update has been completed, please do make sure to continue using the workaround.

On 09/17/2010, Microsoft published a Security Advisory regarding a vulnerability in ASP.NET, which can be found here:

• http://www.microsoft.com/technet/security/advisory/2416728.mspx

The Executive Summary from this advisory is as follows:

Executive Summary
Microsoft is investigating a new public report of a vulnerability in ASP.NET. An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config. This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.

This vulnerability affects all versions of ASP.NET frameworks and therefore all websites developed and hosted using ASP.NET 1.0, 1.1, 2.0, 3.0, 3.5, and 4.0, including:

• DotNetNuke sites (all versions).
• all other content management systems based on ASP.net technology.
• any custom developed websites based on ASP.NET technology.

Microsoft has not released a server side patch, however 3Essentials recommends all hosting customers using ASP.NET review the vulnerability within the context of their site, and make their own assessment as to risk, and whether to implement a suggested workaround noted below.

3Essentials intends to deploy any server-side patch released by Microsoft as soon as such a patch is made publicly available.  Until then, hosting customers should consider applying the workaround.

We strongly recommend you read the following articles in order to gain a sufficient understanding of the vulnerability and your potential exposure.

Frequently Asked Questions about the ASP.NET Security Vulnerability
http://weblogs.asp.net/scottgu/archive/2010/09/20/frequently-asked-questions-about-the-asp-net-security-vulnerability.aspx

Understanding the ASP.NET Vulnerability
http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx

Workaround

The following workaround is suggested on Microsoft's ASP.net development community site:

• http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

Additionally, DNN cusotmers should review DNN's instructions for implementing this workaround:

• http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryId/2798/ASP-NET-Security-Vulnerability-workaround-for-DotNetNuke-sites.aspx

At the bottom of this article, information on .Net versions available on 3Essentials servers is provided, which you may need if you decide to implement the workaround.

Will 3Essentials be automatically implementing this workaround on my site?

No.  There is currently no server-side patch released by Microsoft as of yet.  3Essentials intends to deploy any server-side patch released by Microsoft as soon as such a patch is made publicly available.  The workaround documented on the ASP.net development community recommends modifying an your website's unique ASP.net configuration for error handling as specified in your site's web.config, to modify the error handling behavior, and mitigate the vulnerability.  Many 3Essentials customers have customized settings within their ASP.net web.config for error handling, and 3Essentials cannot apply a one-size-fits-all change to site-specific configuraiton parameter without potentially affecting the functionality of many customer websites against their wishes. 

As such, it is the responsibility of the individual website owner/administrator to evaluate the workaround, decide if you are going to implement it, and then implement it by modifying your web.config as noted in the workaround. 

What .NET Framework version is running on my site?

If you're unsure, log into your Plesk control panel, click your domain, click SETUP (hosting setup), and the ASP.net version enabled on your domain will be shown about midway down the page.  Note that ASP.net 2.0 will show for versions on servers where ASP.net 3.0, 3.5 SP1 are installed.  This is because 3.0 and 3.5 are just add-on components to the 2.0 base framework version.   All servers that have ASP.net 2.0 installed and active on their site also have the ASP.net 3.0 and ASP.net 3.1 SP1 supplemental components also installed and active. To know if 3.0/3.5 versions are applied to your server, please see the chart below:

To clarify, if you have ASP.net 2.0 selected within your hosting settings, and you're hosted on a server with ASP.net 3.5 SP1 installed, you are running ASP.net 3.5 SP1.