All geek questions in one place

Revoke aspx authentification cookie

I have an asp.net web form. when the user authenticates, he creates a secure cookie named .aspxauth

uppon logout, i call these 2 methods

FormsAuthentication.SignOut(); Session.Abandon()

The problem is that we had a penetration test, and if I steal a cookie, log out and manually insert the cookie, I will log in again. Therefore .aspauth is not invalid on the server side.

I searched it on Google and I cannot find the answer to this security violation.

+1
source share
2 answers

Read this article about session fixation and how to get rid of it once and for all:

http://www.dotnetfunda.com/articles/show/1395/how-to-avoid-the-session-fixation-vulnerability-in-aspnet

+1
source

Microsoft has confirmed this issue here: https://support.microsoft.com/en-us/kb/900111

They offer several ideas to mitigate this vulnerability:

  • secure application using SSL
  • Use TTL and absolute expiration
  • Use HttpOnly validation of cookies and forms in ASP.NET 2.0
  • Use Membership Class in ASP.NET 2.0

As for the latter, I will embed content from the site for convenience / preservation:

When you implement forms authentication in ASP.NET 2.0, you have the option of storing user information in a membership provider. This parameter is a new feature introduced in ASP.NET 2.0. The MembershipUser object contains specific users.

If the user is logged in, you can save this information in the Comment property of the MembershipUser object. If you use this property, you can develop a mechanism to reduce cookie playback issues in ASP.NET 2.0. This mechanism will perform the following steps:

  • You create an HttpModule that catches the PostAuthenticateRequest event.
  • If the FormsIdentity object is in the HttpContext.User property, the FormsAuthenticationModule class recognizes the forms authentication ticket as valid.
  • The user class HttpModule then gets a reference to the MemberhipUser instance associated with the authenticated user. You check the Comment property to determine if the user is logged in.

It is important . You should store information in the Comment property, which indicates when the user has explicitly written out. In addition, you must clear the information that is in the Comment property when the client eventually signs up again.

If the user is not currently registered, as indicated by the Comment property, you must take the following actions:

  • Clear cookie.
  • Set the Response.Status property to 401.
  • Make a call to the Response.End method, which will implicitly redirect the request to the login page.

Using this method, a forms authentication cookie will only be accepted if the user has not been explicitly issued and the forms authentication ticket has not expired.

+1
source

Source: https://habr.com/ru/post/921657/

More articles:


All Articles