Here I'm going to describe in a semi-formal manner of how FSCAuth works. Hopefully, emphasizing the algorithm, rather than the implementation.
A few definitions:
- Hash(x): The Hasher function. By default this creates SHA256 hash in FSCAuth
- UserID: The UserData.UniqueID string
- Username: The user name of the user
- PasswordHash: The created password hash
- Password: the plaintext password
- UniqueHash: The UniqueHash value for the entire site
- Base: the base path of the website. If CookieUseBase is false, then this is an empty string.
- IP: The IP address of the client. If CookieUseIP is false, then this is an empty string.
- UserAgent: The user agent string from the client's browser. If CookieUseBrowserInfo is false, then this is an empty string.
- Now(): The current time as a 32bit UTC Unix timestamp
+is for string concatenation. "abc"+"xyz" is equal to "abcxzc"
To create a new user, the only thing we must create the password hash. A password hash is constructed as follows
PasswordHash := Hash("fscauth" + Password + Username + UniqueID + UniqueHash);
Then, when creating a new authentication cookie, we populate two fields.
Name. The cookie name itself is created by
Hash(SiteName) + "_login" or
SiteName+"_login" depending upon the HashCookieName variable. The
Name variable is just the plaintext username of the user to be authenticated. The
Expires variable is a UTC Unix timestamp of when the cookie should expire.
Secret := Hash(PasswordHash + IP + Base + UserAgent + Expires + UniqueHash + SiteName)
UniqueHash into the cookies and password hashes, this makes a site extremely secure, as long as
UniqueHash is kept secret. The contents of this variable can be kept either in the Web.config or the C# source code.
As well as this, a unique per-user Salt is used for each hash(user determined as to how the salt is put into the hash)