In order to minimize the XSS vulnarabilites, Microsoft had implemented a "HttpOnly" cookie feature in IE 5.0 and above versions. This feature prevents other scripts or applications (e.g. applets) from directly accessing the cookie marked as "HttpOnly". Fair enough, though not everyone agrees that this really prevents any attack but I think its a good idea. ( http://www.gnucitizen.org/blog/why-httponly-wont-protect-you)
What is the relation of HttpOnly cookies with SharePoint? Well, as you know SharePoint 2007 is a ASP.NET 2.0 application, which means its utilizes all underlying features of ASP.NET 2.0 such as authentication and authorization. When ASP.NET authenticate user via form, it generates a cookie called ".ASPXAUTH" cookie. This cookie by default is marked as httpOnly, which mean no other applications should be able to access this cookie, including windows call such as InternetGetCookie (http://msdn2.microsoft.com/en-us/library/aa384710.aspx) which gets all cookies stored on your computer for a given site but respects the "HttpOnly" flag..
Office applications such as Word, Excel and SharePoint designer does not work well with Form Authentication but you can make it by setting the authentication cookie to persistent cookie. When you set the form authentication, the SharePoint login page has a check box to remember the userId/Password, this creates a persistent cookie, After this setting, if you open the Office applications, you are not prompted for authentication. If the Office applications are playing by rule and using the InternetGetCookie() method to get the cookies for a given url then they should not be getting the ASPXAuth cookie as this cookie is set as "HttpOnly" cookie by SharePoint/ASP.NET Form Authentication Handler? After monitoring the office appliations, I noticed that I office applications directly access the local cookie folder to read the cookies files.
My only guess is they are bypassing any standard windows call s and reading the temporary internet folder for cookies and parsing the cookies using undocumented features:) . Agreed, its a good feature to support the form authentication with office applications but directly accessing cookies is not something I expected specially after all the preaching they did on the securities
Your thoughts please?
Saturday, September 01, 2007
Subscribe to:
Post Comments (Atom)
2 comments:
check out the InternetGetCookieEX function http://msdn.microsoft.com/en-us/library/aa384714(VS.85).aspx
It has a flag for getting HTTPONLY cookies with ie8 or later. HOWEVER, I have not been able to get it to work yet...
check out the InternetGetCookieEX function http://msdn.microsoft.com/en-us/library/aa384714(VS.85).aspx
It has a flag for getting HTTPONLY cookies with ie8 or later. HOWEVER, I have not been able to get it to work yet...
Post a Comment