Original by fancyf (FancyRay)
I do this experiment because http://community.9cbs.net/expert/topic/3927/3927012.xml?temp=.3752405 I originally, .NET verification should be more secure, the generated cookie should also Related to this computer's unique parameter, it should be invalid on another computer. So is a username corresponding to a cookie value? Can I defraud form verification by counterfeiting a cookie value? Do a test. Web.config is modified as follows:
Login.aspx only one username input box txtusername, a password input box txtpassword and a submission button, the Click event is as follows:
1
IF
Formsauthentication.authenticate
THIS
.txtusername.text,
THIS
.txtPassword.text)))
2
...
{3 Formsauthentication.RedirectFromLoginPage (this.txtusername.text, true); 4}
5
Else
6
...
{7 response.write ("login denied"); 8}
With IEHTTPHEADERS
http://www.blunch.info/) It can be seen that a cookie similar to this is added after verification:
MyLab = 3FF83247C29EB5D14D61F389D453EEE0586B94E27609C321B017BE7B88D1A94D249996428A7A18F5C2D69F3C4DD2B88C00172CAFB0B4B4ED8784DB62D1D61BCC0C786B4EA7868FC6
It seems that this is the cookie after encryption. Below you have to change a computer, set this value to cookie to see if Forms verification is required.
Plus such a sentence in the login.aspx page:
