All geek questions in one place

Priority Escalation and Session Capture in MVC5 ID

I use the asp.net 2.0 identifier for authentication (Owin middleware) in my application. Session Capture: When I log into the Identity system creates AspNet.ApplicationCookie.then, I copied the AspNet.ApplicationCookie value. Then I left the application. After logging out, I create a cookie manually (AspNet.ApplicationCookie) and update it. Redirects me to the home page.

Priority Escalation: At the same time, I logged in as a user AI copied (AspNet.ApplicationCookie), its cookie, and I logged out. After I logged in as user BI, I edited the User B Cookie and inserted the user's cookie into the cookie and saved it. After updating in the browser, I can access and authenticate UserA.

I clear my entire session and delete all cookies. When I logged out. Another Asp.Net user (Owin) generates a new AspNet.ApplicationCookie each time. But he still accepts old cookies and gives me access. I do not know why? Can someone give me how to invalidate the old AspNet.ApplicationCookie after logging out. This is my code in Startup.Auth.cs

public void ConfigureAuth(IAppBuilder app) { // Enable the application to use a cookie to store information for the signed in user app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie, LoginPath = new PathString("/Account/Login") }); // Use a cookie to temporarily store information about a user logging in with a third party login provider app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie); }

// This is the exit code

  public ActionResult LogOff ( ) { //Delete all cookies while user log out string[] myCookies = Request.Cookies.AllKeys; foreach ( var cookies in myCookies ) { Response.Cookies[ cookies ].Expires = DateTime.Now.AddDays(-1); } Request.GetOwinContext( ).Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie); // AuthenticationManager.SignOut( ); Session.Clear( ); Session.RemoveAll( ); Session.Abandon( ); return RedirectToAction("LoginPage", "Account"); }

// This is my login controller code

  public async Task<ActionResult> Login(LoginViewModel model, string returnUrl) { if (ModelState.IsValid) { var user = await UserManager.FindAsync(model.UserName, model.Password); if (user != null) { await SignInAsync(user, model.RememberMe); return RedirectToLocal(returnUrl); } else { ModelState.AddModelError("", "Invalid username or password."); } } // If we got this far, something failed, redisplay form return View(model); }
+5
source share
1 answer

This is by design. Providing you with the ability to log in from multiple browsers and log out only in the browser where you clicked "log out" and not all other browsers.

But when you log out, you can update SecurityStamp with the user, and then set the period for checking security tokens for a very low period of time.

This will change the security brand:

 await userManager.UpdateSecurityStampAsync(user.Id);

put this in your logout method.

And in your Startup.Auth.cs change UseCookieAuthentication as follows:

 app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie, LoginPath = new PathString("/Account/Login") Provider = new CookieAuthenticationProvider { // Enables the application to validate the security stamp when the user logs in. // This is a security feature which is used when you change a password or add an external login to your account. OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>( validateInterval: TimeSpan.FromMinutes(1), // set this low enough to optimise between speed and DB performance regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager)), } });

The only drawback of this approach is that when the exit procedure is not performed, nothing happens. And when the system logs out, it logs all other sessions.

+2
source

Source: https://habr.com/ru/post/1232615/

More articles:


All Articles