4

We have an authentication setup where we disallowed everything but bearer tokens sent in headers.

However, I have a situation where I need to use a cookie instead for one Web API controller.

I can see that there is already a cookie sent in the request named ".aspnet.cookies" with an encrypted value populated.

It would solve my problem if I could just find a way to decrypt the value, but I'm not clear how to do so.

Sadly, I can't just configure authentication to automatically use the cookie for a technical reason.

Does anyone know what class I can use to make a call to manually decrypt the cookie value?

Colin
  • 4,025
  • 21
  • 40

3 Answers3

4

I (the OP) have been working on this today, and I didn't find the exact answer I was looking for, but did find a workaround.

I am pretty convinced that the OWIN middleware is using an ISecureDataFormat internally somehow to protect/unprotect the cookie I was seeing (named ".aspnet.cookies"). I couldn't figure out which ISecureDataFormat the framework used, but I did find out where we were using one to handle the bearer token passed in the AJAX request headers.

Basically, in an AuthStartup class, I had some OAuthAuthorizationServerOptions and found that we used its AccessTokenFormat property (which is an ISecureDataFormat) to handle the bearer token.

Since I could access AuthStartup.OAuthOptions.AccessTokenFormat from my class, I decided to just put the value of the bearer token into my own session cookie, then use AuthStartup.OAuthOptions.AccessTokenFormat.Uprotect() to decrypt its value.

This gave me an AuthenticationTicket, whose Identity I could stuff into a GenericPrincipal, which I then assigned to System.Threading.Thread.CurrentPrincipal and HttpContext.Current.User in a custom FilterAttribute/IAuthorizationFilter which I applied to the controller that needed to use cookies.

I wish I knew how to handle the situation more elegantly, but it worked for what I wanted to accomplish.

Colin
  • 4,025
  • 21
  • 40
  • So, you went and found the code that was writing that value, exactly like I said to do! At that point you came up with a good solution. UP-Vote :) – Jasmine Mar 29 '14 at 00:02
  • Actually, no. The code that writes the value to the ".aspnet.cookies" cookie is still a question mark. I just crafted my own custom solution by piggybacking off of the code we used to create a bearer token. Thank you for trying to help, though! I do appreciate it! – Colin Mar 29 '14 at 03:32
  • So you didn't actually figure out how to decrypt the cookie, just decided to do something completely different? – Jasmine Mar 31 '14 at 20:16
1

I am not sure if you are referring to reading the cookie or decrypting custom data inside of the cookie. If it is a FormsAuthentication cookie, as it seems to be in your case, then you will need to extract the FormsIdentity ticket of the authenticated requests which is in the form of a FormsAuthenticationTicket .

If you are asking to decrypt custom data inside FormsAuthenticationTicket.UserData then you will need to use the same crypto that was used for encryption.

Ross Bush
  • 14,648
  • 2
  • 32
  • 55
  • I want to decrypt the value of the cookie and I'm actually not using Forms Auth (which is a bummer, because I could just use FormsAuthentication.Decrypt() if that were the case). See my comments on Jasmine's answer for detail. – Colin Mar 28 '14 at 20:02
0

It's not an encrypted value, it's a token/ticket/sessionID. This is all very well documented...

This tells how to read and put cookies - it's very easy... http://msdn.microsoft.com/en-us/library/ms178194.ASPX

This tells all about the ASP.Net authentication cookies... http://support.microsoft.com/kb/910443

Jasmine
  • 4,003
  • 2
  • 29
  • 39
  • I'm not using Forms Auth, I'm using OWIN and my whole question wasn't about how to use cookies, but how to decrypt the ticket in the value of the auth cookie. By the way, it's 491 characters, so it's highly doubtful it's just an ID. – Colin Mar 28 '14 at 19:53
  • By the way, I actually tried to use FormsAuthentication.Decrypt() to see if it used the same mechanism, but it doesn't. I'm guessing that I need to use some implementation of the ISecureDataFormat.Unprotect() method, but I'm not sure how to identify the exact class I want to use and how to initialize it. – Colin Mar 28 '14 at 19:59
  • If it's a cookie that you are putting with your own code, how is it possible that you don't know how to decrypt it? Go find the code that puts that cookie and it should be obvious at that point, right? You have not given enough information for us to answer the question, but I suspect you have the information in your code-base somewhere. Impossible for it not to be, really. – Jasmine Mar 28 '14 at 21:33
  • 2
    @Jasmine, you don't understand the question. [asp.net/identity](http://www.asp.net/identity/overview/getting-started/introduction-to-aspnet-identity) is the technology in use, and the OWIN middleware is setting the cookie, not the developer specifically. I'm looking forward to this question hopefully getting answered as well. – Adam Venezia Mar 28 '14 at 22:29
  • Exactly right. Somewhere, the middleware seems to be using an ISecureDataFormat to protect/unprotect the cookie contents. I didn't figure out the exact mechanics or how to get at the proper ISecureDataFormat, but I did implement a workaround I'll write up in an answer. – Colin Mar 28 '14 at 22:44
  • Oh I understand - that cookie isn't just showing up by magic, there is some code that is causing it to be there. If you are setting OWIN keys, you are doing that, you have access to that code. – Jasmine Mar 29 '14 at 00:01