forms-authentication

Can some hacker steal a web browser cookie from a user and login with that name on a web site?

by

Is it possible to steal a cookie and authenticate as an administrator? Yes it is possible, if the Forms Auth cookie is not encrypted, someone could hack their cookie to give them elevated privileges or if SSL is not require, copy someone another person’s cookie. However, there are steps you can take to mitigate these … Read more

ASP.NET MVC – Set custom IIdentity or IPrincipal

by

Here’s how I do it. I decided to use IPrincipal instead of IIdentity because it means I don’t have to implement both IIdentity and IPrincipal. Create the interface interface ICustomPrincipal : IPrincipal { int Id { get; set; } string FirstName { get; set; } string LastName { get; set; } } CustomPrincipal public class … Read more