A security experiment with Forms Authentication

Mar 30, 2012 at 2:09 PM
Edited Mar 30, 2012 at 2:32 PM

Five minutes ago, I logged into CodePlex from my laptop and checked 'Remember me next time'. Then I logged out.

Then I logged in from my desktop and changed my account password.

Then I went back to my laptop, went to CodePlex - and it logged me straight in. I'm now creating this discussion item using my CodePlex account without having been asked to enter a password.

This appears to be a real-world example of the vulnerability discussed at:

http://stackoverflow.com/questions/9944053/security-loophole-around-password-changes-with-net-formsauthentication-and-pers

- in other words, if you set a "remember me" cookie on a device that then gets stolen, the thief has full access to your CodePlex account and changing your password won't lock them out. 

(EDIT: Not singling out CodePlex here, you understand... it's just the first example I could think of of a high-profile public site that uses .NET forms authentication)

Apr 2, 2012 at 10:54 PM

Hi Dylan,

Thanks for reporting your findings.  We are actively looking to resolve this situation with the 'Remember Me' checkbox.   

Thanks

Mark