Asp.Net forms authentication replay attack

Question

We are getting hit with a scenario where a user logs off and previous good session cookie ( including sliding time window) is replayed and our code jumps right to the requested page as the user. We are not maintaining session state in the server. This Asp.Net forms authentication.

I was thinking that the only solution to this is to add columns to the server to track a users log status. Not real hard but requires code, db, and deployment to accomplish.

Is this the best way to handle this? Since we will have to crack into code anyway, we could add client request ip's and other stuff to the cookie. But the current spoof is to reuse the clients machine as well as the session.

Any thoughts?

Thanks in advance

bille

Javascript code that checks for inactivity -> logout

$j(document).ready(function () {

            /******************************************************************
            Auto-logout after the user's session times out
            ******************************************************************/

            var timeOut = (_TIMEOUT - 5) * 60;
            var setTimeout = function () {
                $j(".session-timeout").stopTime().oneTime(timeOut + "s", function () {
                    $j(this).show();
                    $j(this).oneTime("300s", function () {
                        window.location = $j(this).find("a.logout").attr("href");
                    });
                });
            };
            $j(".session-timeout a.refresh-session").click(function () {
                NextGen.CHS.UtilitiesWebService.RefreshSession(
                    function () {
                        $j(".session-timeout").fadeOut();
                        setTimeout();
                    },
                    function () {
                    }
                );
            });

            setTimeout();
        });

When user logs off, does it just do a postback on the current page, or go to a logoff page? By replay attack, you know that an attacker from a separate machine, or are you saying same machine, is able to do this? — Brian Mains, Sep 03 '13 at 16:43
There are two ways. client timeout leading to ajax call that invalidates session. Regular postback when clicking logout button. — weidson, Sep 03 '13 at 18:48
Also, the attack is coming from the same machine (IP/MAC spoofed possibly) We have users who log in do stuff logout and leave the machine to another user. — weidson, Sep 03 '13 at 18:49
You may want to consider using JavaScript to redirect to a logout page, rather than using AJAX, via `window.location='logout.aspx';` — Brian Mains, Sep 03 '13 at 19:53
I edited the original question with the javascript code that is checking for inactive client side. — weidson, Sep 04 '13 at 02:21

score 0 · Accepted Answer · answered Sep 05 '13 at 16:39

I ended up fixing this by tracking users log in/out state and activity timestamps. When a replayed session is received, we still decrypt the forms ticket and find valid "session" information. This identifies the user, we then check if logged out and if so redirect to log in page.

For cases where the user kills the browser without logging out, the activity time stamp is used in a sql job that sweeps the user table logging out inactive users.

weidson

Asp.Net forms authentication replay attack

1 Answers1