Geek asks and answers

How to track expired WIF fedauth cookies?

I have an interesting problem trying to keep track of expired WIF authentication sessions / cookies.

As a background: MVC 3 uses the Windows Identity Foundation (WIF), which has trust with the ADFS server as STS. The whole site is protected by SSL. STS has a token expiration period of 60 minutes.

When the user writes out manually, we simply call the SignOut method in the FedAuth module:

FederatedAuthentication.WSFederationAuthenticationModule.SignOut(false);

This, of course, removes FedAuth cookies, but here is where the problem starts. If I record these cookies using Fiddler, I can resubmit them to the site during their validity period and still be treated as registered.

I understand that this is done from the privileged position of the browser that accepted the script as a proxy ... but the client is concerned that cookies that have not expired actually pose a significant security risk. They are not sure that SSL protects the site sufficiently, and that if an attacker can carry out a MITM attack, they can use these cookies after the user decides that they are logged out.

I explained that if they are vulnerable after logging out, they are vulnerable during login, but they don’t care ...

So, I was looking for ways to make sure that as soon as the user logs out, the fedauth cookie associated with this login session is processed as expired. The WIF handlers do not seem to have a built-in mechanism for tracking expired tokens, and I have not found anything else related to this.

I guess this is actually a broader issue -> how to detect expired cookies in general? A valid cookie is a valid cookie!

The obvious solution is to keep track of these cookies after logging out in some way, but I would like to avoid the route of user code if possible; like noob, many of the security literature says to avoid user-coding any kind of session mechanics, as you are likely to be mistaken!

- - ASP.NET ?

.

+5
2

. , HTTPS, / .

+7

. asp.net cookie OWIN , cookie, .

cookie ( ) , :

protected override void OnActionExecuted(ActionExecutedContext filterContext)
    { 
        base.OnActionExecuted(filterContext);

        bool authenticated = User.Identity.IsAuthenticated;

        var sessionGuid = (User as ClaimsPrincipal).FindFirst("sessionID")?.Value;

        //put the SessionID into the cookie.
        if (authenticated && string.IsNullOrEmpty(sessionGuid))
        {
            var id= Session.SessionID;

            //update the guid claim to track with the session
            var authenticationManager = HttpContext.GetOwinContext().Authentication;

            // create a new identity from the old one
            var identity = new ClaimsIdentity(User.Identity);

            // update claim value
            identity.RemoveClaim(identity.FindFirst("sessionID"));
            identity.AddClaim(new Claim("sessionID", id));

            // tell the authentication manager to use this new identity
            authenticationManager.AuthenticationResponseGrant =
                new AuthenticationResponseGrant(
                    new ClaimsPrincipal(identity),
                    new AuthenticationProperties { IsPersistent = true }
                );
        }
    }

, cookie, . , :

protected override void OnActionExecuting( ActionExecutingContext filterContext)
    {
        var claim = (User as ClaimsPrincipal).FindFirst("sessionID")?.Value;

        //does the owin cookie have a sessionID?
        if (!string.IsNullOrEmpty(claim))
        {
            string session = Session.SessionID;

            //does it match the one stored in the session?
            if(session != claim)
            {
                //no? log the user out again..
                Session.Abandon();

                //redirect to logged out page
                this.Request.GetOwinContext().Authentication.SignOut();

                //tell them its over..
                Response.Write("Expired Session");

                Response.End();
            }
        }

        base.OnActionExecuting(filterContext);
    }
+1

More articles:


All Articles