asp.net mvc - Logging out of Webforms Authentication dos not remove the authentication on the server -
i use out of box webforms authentication.
after request "logout" , using:
formsauthentication.signout(); the user logged out removing cookie ".aspxauth" client browser.
this works expected.
our site got security audited , auditor claimed authentication token not deleted server when user logs out.
i can reproduce behaviour using fiddler.
- i log in site , copy cookie ".aspxauth"
- i log out: cookie deleted on client , dont have access secured pages anymore
- i send request site using fiddler composer using prevously copied cookie "aspxauth". can access secured pages cookie.
the expected result if log out can not access secured pages providing old aspxauth cookie.
is there way invalidate old aspxauth cookie on server?
i solved storing salt value in auth-cookie gets saved in database user when loggs in.
on each request there check if salt in auth cookie same 1 database. if not user gets logged out.
if user loggs out salt gets deleted database , old auth - cookie cant used anymore.
store salt when logging in
// generate new 6 -character password 2 non-alphanumeric character. string formsauthsalt = membership.generatepassword(6, 2); formsauthenticationticket ticket = new formsauthenticationticket(1, orderauthtoken.email, datetime.now, datetime.now.addminutes(20), applicationconfiguration.createpersistentcookie, formsauthsalt, formsauthentication.formscookiepath); // encrypt ticket. string encticket = formsauthentication.encrypt(ticket); response.cookies.add(new httpcookie(formsauthentication.formscookiename, encticket)); userinfo user = userservice.getuser(orderauthtoken.email); user.formsauthenticationcookiesalt = formsauthsalt; userservice.updateuser(user); check salt in filter decoryte alle actions with
public class checkformsauthenticationcookiesalt : actionfilterattribute { private readonly iuserservice userservice = objectfactory.getinstance<iuserservice>(); public override void onactionexecuting(actionexecutingcontext filtercontext) { if ( filtercontext.httpcontext.request.isauthenticated) { // encrypt ticket. if (httpcontext.current.request.cookies.allkeys.contains(formsauthentication.formscookiename)) { var cookie = httpcontext.current.request.cookies[formsauthentication.formscookiename]; if (cookie != null) { formsauthenticationticket ticket = formsauthentication.decrypt(cookie.value); if (ticket != null) { string salt = ticket.userdata; int userid = userservice.getuniqueid(filtercontext.httpcontext.user.identity.name, true, false, "myappname"); userinfo user = userservice.getuser(userid); //for deployment: dont logg out existing users no cookie if (user.formsauthenticationcookiesalt != salt && user.formsauthenticationcookiesalt != "seed") { formsauthentication.signout(); filtercontext.result = new redirecttorouteresult(new routevaluedictionary { { "action", "index" }, { "controller", "home" } ); } } } } } base.onactionexecuting(filtercontext); } } 
Comments
Post a Comment