4/06/2011

SharePoint Security Testing and Browser Use of Cookies

or… How to really confuse your SharePoint security testing!

 

I was doing some testing with SharePoint security today and was reminded of something I wanted to blog about… browsers and cookies, especially SharePoint session cookies.

 

Sessions

When you log on to SharePoint you establish a session on the web server to keep track of your visit. Without a session you would have to log on for each page load. ASP.NET keeps track of sessions by creating a session ID on the server and storing it in a cookie sent to your browser. This cookie is a temporary cookie and is lost when you close your browser.

 

What if I open a new browser and log in again?

What happens depends on how you open the new browser. The new browser may or may not share cookies from other browser sessions, depending on how you open the browser, and which browser version.

 

For IE 7

In IE 7 there are three ways to open a new browser/page: from the Start button or a desktop icon, from a new tab in the current browser and from the File New menu.

Let’s setup an example:

  1. Open a IE 7 and navigate to a SharePoint site
    • Note the Welcome menu, it’s displaying your Windows credentials (User A)
  2. Click the Welcome menu and sign in as a different user (User B)
    • Note the Welcome menu, it’s displaying your new User B credentials
  3. Click a new tab in the browser and navigate to the same SharePoint site
    • Note the Welcome menu, it’s displaying your User B credentials
  4. Launch a new IE 7 from your Start menu and navigate to the same SharePoint site
    • Note the Welcome menu, it’s back to your Windows credentials (User A)

So in IE 7:

  • Opening a new tab shares the same session
  • Opening a new “window” with File, New Window shares the same session
  • Launching a new browser from the Start button starts a new independent session

 

For IE 6

IE 6 handles sessions the same as IE 7, but does not have tabs.

 

For IE 8

If you repeat the four steps in the IE 7 example you will find that in IE 8 they all share the same session, even if you launch a new browser from the Start menu!

So how can you start a new session?  IE 8 adds a fourth way to open a browser and handles sessions differently than IE 7. Go to the File menu and you will find a new option: File, New Session. This will launch a new session and not share cookies with other IE 8 sessions.

image

 

So in IE 8:

  • Opening a new tab shares the same session
  • Opening a new “window” with File, New Window shares the same session
  • Launching a new browser from the Start button shares the same session
  • Using File, New Session starts a new independent session

This is a big an unexpected change for must IE users.

 

And some things to think about (you do the testing):

  • I open IE 8 and log into a site, I use “File, New Session” and log in to the same site with a different ID, then I go to Start and open a new browser…   Which “session” am I in? (remember opening a new browser shares an existing session)
     
  • I open IE 8 and visit a typical public site.  I then open a new browser (File, New Window or from Start). In the new browser I log into my bank and then close the browser. What happens when I go the first browser and type in the URL to my bank?  (don’t try this on a public PC at the library!)
     

SharePoint Security Testing

If you are testing security, and you want to be sure as to what a “Member” might see that a “Visitor” does not, make very sure that you are really running in a new session.

To ensure a new session:

  • In IE 7 (or IE 6), start a new browser from your Windows Start button (don’t use a new tab or File, New Window)
  • In IE 8 always use File, New Session
  • Use two different PCs (this is the best solution!)
  • Use two different brands of browsers, such as IE and FireFox

How to really confuse your SharePoint security testing!

  1. Log on to your computer as User A (Mike Smith)
  2. In SharePoint click Welcome, Sign in as Different User and login as User B (Sam Conklin)
  3. Perform any operation that uses a local desktop application such as Word, Excel and Windows Explorer

The local applications will be running with your local permissions, and if you are a SharePoint site owner or site collection administrator, then anything goes! Depending on your security setup, your local applications should be prompting for a username and password, but I have seen some that have not. In any case you are thing that your are testing as User B and SharePoint may be seeing you as User A.

 

What about Firefox?

The only copy I have on this PC is 3.6.1.6. It behaves like IE 8 in that I no matter how I open a new browser or window it always shares the same session (shares the cookies). And… it does not even have a File, New Session option!  Even right-clicking the Firefox icon and selecting Run as Administrator shares the same session!

 

FYI… I have not tested Chrome or Safari

 

.

Labels: , , ,

No comments:

Post a Comment

Note to spammers!

Spammers, don't waste your time... all posts are moderated. If your comment includes unrelated links, is advertising, or just pure spam, it will never be seen.