7

I am using asp.net identity 2.0 for authentication(Owin middleware) in my application. Session hijacking: When i login Identity creates AspNet.ApplicationCookie.then,I copied AspNet.ApplicationCookie value.Then i logged out from the application.After Logout,I am creating cookie manually(AspNet.ApplicationCookie) and do a refresh It redirects me home page.

Privilege Escalation: At the same time i logged in as a User A.I copied(AspNet.ApplicationCookie) his cookie and the i logged out.After i logged in as a User B.I am editing User B Cookie and pasted User A cookie and saved it.After I refreshed the browser I can get UserA access and authentication.

I am clearing all the session and and delete all the cookies When i logged out.Even Asp.Net identity(Owin) generates new AspNet.ApplicationCookie each and every time.But still it accepts old cookies and give me a access.I don't know why? Can any one give me how to invalidate old AspNet.ApplicationCookie after log out. This is my code in Startup.Auth.cs

 public void ConfigureAuth(IAppBuilder app) { // Enable the application to use a cookie to store information for the signed in user app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie, LoginPath = new PathString("/Account/Login") }); // Use a cookie to temporarily store information about a user logging in with a third party login provider app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie); }

//This is logout code

 public ActionResult LogOff ( ) { //Delete all cookies while user log out string[] myCookies = Request.Cookies.AllKeys; foreach ( var cookies in myCookies ) { Response.Cookies[ cookies ].Expires = DateTime.Now.AddDays(-1); } Request.GetOwinContext( ).Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie); // AuthenticationManager.SignOut( ); Session.Clear( ); Session.RemoveAll( ); Session.Abandon( ); return RedirectToAction("LoginPage", "Account"); }

//This is my login controller code

 public async Task<ActionResult> Login(LoginViewModel model, string returnUrl) { if (ModelState.IsValid) { var user = await UserManager.FindAsync(model.UserName, model.Password); if (user != null) { await SignInAsync(user, model.RememberMe); return RedirectToLocal(returnUrl); } else { ModelState.AddModelError("", "Invalid username or password."); } } // If we got this far, something failed, redisplay form return View(model); }
Improve this question

1 Answer 1

Reset to default
2

This is by design. Allowing you to be signed-in from multiple browsers and log-out only in the browser where you have clicked the "log-out" and not all the other browsers.

But on log-out you can update SecurityStamp on the user, and then set up security stamp validation period for a very low period of time.

This will change security stamp:

await userManager.UpdateSecurityStampAsync(user.Id);

put this in your logout method.

And in your Startup.Auth.cs modify UseCookieAuthentication in this way:

app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie, LoginPath = new PathString("/Account/Login") Provider = new CookieAuthenticationProvider { // Enables the application to validate the security stamp when the user logs in. // This is a security feature which is used when you change a password or add an external login to your account. OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>( validateInterval: TimeSpan.FromMinutes(1), // set this low enough to optimise between speed and DB performance regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager)), } });

The only drawback with this approach - when logout procedure is not executed - nothing happens. And when logout happens, it logs out all other sessions.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.