ASP.Net MVC forged claim token still working

Question

I have an asp.net MVC 4 project in .Net 4.5.

I have set up Claim based authentication to protect my site.

I have a very strange behavior after logging in. If I edit the FedAuth cookie and change a value by hand in the token part, if I try to refresh my page it will work.

In my web.config I have this:

<configSections>
  <section name="system.identityModel" 
           type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
  <section name="system.identityModel.services" 
           type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
</configSections>

...

<modules>
  <remove name="FormsAuthentication" />
  <remove name="WindowsAuthentication" />
  <add name="SessionAuthenticationModule" 
       type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</modules>

...

<system.identityModel>
  <identityConfiguration>
    <claimsAuthorizationManager 
      type="Project.Web.MyClaimAuthorizationManager, Project.Web, Version=1.0.0.0, Culture=neutral" />
    <securityTokenHandlers>
      <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
      <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
    </securityTokenHandlers>
  </identityConfiguration>
</system.identityModel>

I am registering this filters in my project

    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
    {
        filters.Add(new HandleErrorAttribute());
        filters.Add(new AuthorizeAttribute());
    }

I create a token like that

    public void IssueAuthTicket(string nameIdentifier, string name, bool persist)
    {
        var claims = new List<Claim>
                         {
                             new Claim(ClaimTypes.NameIdentifier, nameIdentifier),
                             new Claim(ClaimTypes.Name, name)
                         };
        var ci = new ClaimsIdentity(claims, "Forms");
        var cp = new ClaimsPrincipal(ci);

        var token = new SessionSecurityToken(cp);
        FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(token);
    }

If I base64 decode the token I have this

<?xml version="1.0" encoding="utf-8"?>
<SecurityContextToken xmlns:p1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" p1:Id="_b686b435-7153-44c4-816f-f5aba60d4ee8-86A9E23C43E7AFDA5B390C4EEDD7C694">
<Identifier>urn:uuid:667635fb-c98e-4cf0-be9e-805957589876</Identifier>
<Cookie xmlns="http://schemas.microsoft.com/ws/2006/05/security">v6KYxH2MmIw2IHWasLfLF5DvE8r8mzpcB6FCUZjIJAfrVBruiqxTujm3ZAdGlNRHt6xarPtnOhuBBNm1nAGrInz46fjK5Wu+8aWQpQBczWyceeummyn8SLt2Wr49J6q2A6k7QC73KR7eIuLATkWmQT2AQco42oPi2a+3x/TSOi/ZIjLWeLlomeFF7/j8uhoVxxhDir2Hamp66L5UPhQaUvhq5UfZR5AS0Y17OmXbVdKqSn5x8+7KtJ85CXavvijDibd5AFTwc7sAK66w6n5jKDxxyfYOH4w8jrMB5OpP0o0rWnfOAut7jFq+ECHPGSWs4acXVIAM9wMvryRxo0cnREVgyn1UX/jDnX8PmwaVgo9aCyjPKPgUhaYPL6lV6AYneQTZTUxjd2nB+P9raM9Kp2wsn8lxVZ7vmmK/ZL15S51bHcDWRdG7GDpxv2IhFMnZnBxltDEEkA/G6mYDR7Vl/x5HfoTADfJXmsrhAa8W6t+IudPIePNKZrKZVGnlatYFrKdAjQwn4/7aOS+Zk11E2PuD8GP6BLs5ADgjODxm06bPVWTEItbdi5sT5L6B0bnfPpI0LNUTaLgKvfxd8JLggtIEiGnkr0kHz6+p/KMVglwm9HZp60ojh2uf98YzdsH5DQ/iPwTduFPy9JtgdMGytfsMW0GHAhtM0FY1yPD8mgSryoYdF7IaBnC1fvZ3ZnMimaNRCv7MXt0LnJbT31cHFrH3V+VJ6xCibDK7Jhp1fHlZTEpE6FDZo9P6cNvj3xnNrsKn4lmecUNeHo9fZRwk0yCBfzqPOSvjzfKJNf8vy3A=</Cookie>

And change the first char of the cookie element like that (v -> 1)

<?xml version="1.0" encoding="utf-8"?>
<SecurityContextToken xmlns:p1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" p1:Id="_b686b435-7153-44c4-816f-f5aba60d4ee8-86A9E23C43E7AFDA5B390C4EEDD7C694">
<Identifier>urn:uuid:667635fb-c98e-4cf0-be9e-805957589876</Identifier>
<Cookie xmlns="http://schemas.microsoft.com/ws/2006/05/security">16KYxH2MmIw2IHWasLfLF5DvE8r8mzpcB6FCUZjIJAfrVBruiqxTujm3ZAdGlNRHt6xarPtnOhuBBNm1nAGrInz46fjK5Wu+8aWQpQBczWyceeummyn8SLt2Wr49J6q2A6k7QC73KR7eIuLATkWmQT2AQco42oPi2a+3x/TSOi/ZIjLWeLlomeFF7/j8uhoVxxhDir2Hamp66L5UPhQaUvhq5UfZR5AS0Y17OmXbVdKqSn5x8+7KtJ85CXavvijDibd5AFTwc7sAK66w6n5jKDxxyfYOH4w8jrMB5OpP0o0rWnfOAut7jFq+ECHPGSWs4acXVIAM9wMvryRxo0cnREVgyn1UX/jDnX8PmwaVgo9aCyjPKPgUhaYPL6lV6AYneQTZTUxjd2nB+P9raM9Kp2wsn8lxVZ7vmmK/ZL15S51bHcDWRdG7GDpxv2IhFMnZnBxltDEEkA/G6mYDR7Vl/x5HfoTADfJXmsrhAa8W6t+IudPIePNKZrKZVGnlatYFrKdAjQwn4/7aOS+Zk11E2PuD8GP6BLs5ADgjODxm06bPVWTEItbdi5sT5L6B0bnfPpI0LNUTaLgKvfxd8JLggtIEiGnkr0kHz6+p/KMVglwm9HZp60ojh2uf98YzdsH5DQ/iPwTduFPy9JtgdMGytfsMW0GHAhtM0FY1yPD8mgSryoYdF7IaBnC1fvZ3ZnMimaNRCv7MXt0LnJbT31cHFrH3V+VJ6xCibDK7Jhp1fHlZTEpE6FDZo9P6cNvj3xnNrsKn4lmecUNeHo9fZRwk0yCBfzqPOSvjzfKJNf8vy3A=</Cookie>

I reencode this in base64 and inject it the FedAuth cookie, it still works

Any idea on where I should start looking to solve this?

Thanks

After logging in, I edit the FedAuth cookie by hand and change a value in the Token part. If I refresh the page, I'm still logged in. — JuChom, May 09 '13 at 09:45
Only the inner part of the session token is signed. Have you edited that part? Also try to see if you have the same behavior when temporarily removing the token handlers config section.... — leastprivilege, May 10 '13 at 06:28
First of all thanks for your help, I edited the post to show how I modified the cookie. I also removed the whole part of web.config and I still have the same behavior. — JuChom, May 10 '13 at 08:22
Have you tried making more drastic changes than a single character? — leastprivilege, May 10 '13 at 15:39
I have replaced the 240 first characters with A and it still works — JuChom, May 10 '13 at 15:54

score 2 · Accepted Answer · answered May 13 '13 at 14:00

2

OK - I think I now remember how that works -

When the session cookie is written, it is also cached in memory (regardless of IsReference mode). At read time, the identifier in the cookie is used to try to rehydrate the session token from the cache first. Only if this fails, the actual cookie is used (I guess to save the cost of validation).

This explains what you see. Modifying the identifier will make the request fail.

answered May 13 '13 at 14:00

leastprivilege

18,196
1
34
50

Very interesting. What are the impacts we can have with this. Is there a way to see this cache and invalidate it ? Do you know if there is a reference to this as even If it could make sense is a bit counter intuitive to me as a default behaviour. – Dave May 13 '13 at 14:10
Thanks Dominick. I thought it must be from some kind of cache. But, I was looking at new IdentityConfiguration().Caches.SessionSecurityTokenCache and this does not hold any thing. Is it a different cache? – Badrinarayanan Lakshmiraghavan May 13 '13 at 14:37
1

SAM.WriteSessionTokenToCookie calls SessionSecurityTokenCache.AddOrUpdate - the SessionSecurityTokenResolver calls Get on the cache. – leastprivilege May 13 '13 at 17:11

ASP.Net MVC forged claim token still working

1 Answers1