MVC 4 Web Api Security

Question

I am very new in web api security. I have used form authentication technique. when user logs in, a token is created and stored as a cookie in user's web browser. On each request the token is varified and if user is authenticated and authorized user is given access to the service.

but I think this approach does nothing in web api security. cookies can easily be copied and pasted in other browser and anyone can get the service.

I am thinking to use App key and secret along with form authentication. I am not suggested to use third party service like Oauth for authentication. I am not Sure about the Implementation of app key and secret that how it exactly works.

Please provide better way to secure my web api wihtout using third party services and to prevent cookie hijacking etc. What actions are performed to build a strengthly secure web api.

_"cookies can easily be copied and pasted in other browser and anyone can get the service."_ - this does require a logged in account though. — CodeCaster, Oct 15 '13 at 08:46
How will you know that the authentication cookies are coming from logged in account. user has access of services if he has authentication token which is stored in cookie. if any other user copies the the cookie and token is not expired, he will also be authenticated. — vivek, Oct 15 '13 at 08:52
And if I copy your Facebook cookie I can stalk your friends. See [Forms Authentication Cookie value vulnerability](http://stackoverflow.com/questions/11208793/forms-authentication-cookie-value-vulnerability-in-asp-net) for example for a discussion on that topic. — CodeCaster, Oct 15 '13 at 08:56
@vivek please check my answer below. Your worries are valid. But check your authentication cookie and make sure it is httpOnly, and I would not give the user ability to stay logged (don't store cookies). You might also choose a short idle time out if you are so worried. — A Khudairy, Oct 15 '13 at 15:43

score 0 · Accepted Answer · edited May 23 '17 at 10:25

0

The forms authentication is good enough. You can also do the following:

Use anti-forgery (antifrogery) tokens. Check this or this
It will also be great if on sensitive actions you check if the call to the function was made from the same site or not.You can implement your own action filter for this. (check if the referral site is your site, or the expected site)

Edited:

Thanks guys for your comments. I guess you are right. Well authentication cookies in ASP are created as httpOnly cookies which means even if the site had some XSS vulnerabilities it will still be safe and cant be stolen. I would also suggest to use https everywhere if the site is used for sensitive operations (like a bank) to make sure the cookies are perfectly safe.

edited May 23 '17 at 10:25

Community

1
1

answered Oct 15 '13 at 08:33

A Khudairy

1,422
1
15
26

AntiForgeryToken is for cross-site request forgery, which has little to do with security. The referrer is by no means a way of security as it is user input. – CodeCaster Oct 15 '13 at 08:45
@CodeCaster It has little to do with Authentication. Preventing a cross-site forgery attack has a fair bit to do with security. – Lotok Oct 15 '13 at 08:58
guys btw forgery attacks can be very serious – A Khudairy Oct 15 '13 at 16:22
Now my problem is that how to implement anti forgery in .aspx pages. I don,t know why but they have used .aspx pages insted of Razor view. – vivek Oct 16 '13 at 05:31
1

sorry can't help you with syntax for that – A Khudairy Oct 16 '13 at 09:28
3

Antifrogery? What do you have against frogs? – james.garriss Dec 05 '13 at 17:46

MVC 4 Web Api Security

1 Answers1

Edited:

Linked