19

In several places in a standard ASP.Net MVC Identity 2.0 Owin implementation you'll see rememberBrowser, like:

await signInManager.SignInAsync(user, isPersistent: isPersistent, rememberBrowser: false);

If you do set rememberBrowser to true, I've noticed that I can kill the browser, kill IIS Express, delete the user the browser was logged in as, even restart my machine, and the browser is still treated as logged-in. Not so great, considering a deleted user being treated as authorized/logged-in is going to cause all sorts of issues in code behind the [Authorize] attribute that expects to have a valid user to work with.

So what is it exactly that rememberBrowser is doing, and is there any risk that someone could just fake rememberBrowser in their cookies to bypass OWIN login? It seems the point of [Authorize] is to guarantee no one but logged-in users access a given Controller Action, and rememberBrowser seems to be a hole in that guarantee.

Bonus question: Is there a way to disable rememberBrowser so that even if a forged cookie did come in, it would be rejected?

Chris Moschini
  • 36,764
  • 19
  • 160
  • 190

2 Answers2

10

I think rememberBrowser is relevant only in Two-factor authentication. So if you set it to true, the browser will acquire TwoFactorRememberBrowser cookie which allow the user to skip 2FA authentication (if enabled) during the login process.

Is there a way to disable rememberBrowser so that even if a forged cookie did come in, it would be rejected?

The cookie created from rememberBrowser is used in conjunction with the authentication cookie. It will only allow the user to skip 2FA, therefore it is useless without being authenticated first.

Hezye
  • 1,521
  • 1
  • 13
  • 15
  • Could you please clarify something: So if it is only relevant in 2FA and the flag allows the user to skip 2FA, then what is the point of 2FA? I am having a hard time understanding this. – CodingYoshi Jul 28 '20 at 01:10
9

The answer by @Hezye is correct, but I'll elaborate on this a bit more.

Here is the code that creates an identity for "rememberBrowser" CreateTwoFactorRememberBrowserIdentity (https://aspnetidentity.codeplex.com/SourceControl/latest#src/Microsoft.AspNet.Identity.Owin/Extensions/AuthenticationManagerExtensions.cs line 215):

public static ClaimsIdentity CreateTwoFactorRememberBrowserIdentity(this IAuthenticationManager manager,
    string userId)
{
    if (manager == null)
    {
        throw new ArgumentNullException("manager");
    }
    var rememberBrowserIdentity = new ClaimsIdentity(DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie);
    rememberBrowserIdentity.AddClaim(new Claim(ClaimTypes.NameIdentifier, userId));
    return rememberBrowserIdentity;
}

So this identity is with type of "TwoFactorRememberBrowserCookie" and with only claim of user ID.

Looking on the source code of SignInManager that uses this code: (https://aspnetidentity.codeplex.com/SourceControl/latest#src/Microsoft.AspNet.Identity.Owin/SignInManager.cs line 106) :

if (rememberBrowser)
{
    var rememberBrowserIdentity = AuthenticationManager.CreateTwoFactorRememberBrowserIdentity(ConvertIdToString(user.Id));
    AuthenticationManager.SignIn(new AuthenticationProperties { IsPersistent = isPersistent }, userIdentity, rememberBrowserIdentity);
}

Here IAuthenticationManager is used to sign-in 2 identities: one for the actual user, another for "rememberBrowser". And I believe this will produce 2 cookies - one user authentication cookie, another remembering the browser.

In SignInManager when using SignInOrTwoFactor the code (line 218) checks if "RememberBrowser" identity is already set in the cookies.

OWIN cookies are protected by encryption, encryption is borrowed from DpapiDataProtector (documentation). I'm no expert in cryptography so can't comment on the strength of cryptography. I'm just saying that "rememberBrowser" cookie is encrypted the same way as the main authentication cookie.

Regarding your exercise where you restarted your IIS, machine, etc. Have you removed the cookies from the browser? Because if you have not, Identity (or rather OWIN) will treat browser as logged-in, even if the original user record is removed from the database. Though user will not be logged-in for long as there is code in the default template MVC that checks with the database for the user record and logs out if user record have been changed.

As for disabling "rememberBrowser" - always pass false to that argument. And the second cookie will not be set.

trailmax
  • 34,305
  • 22
  • 140
  • 234
  • So the 2nd cookie "remembering the browser", what exactly does that cookie do? And why would someone want that or not want that? – CodingYoshi Jul 28 '20 at 01:13