2

When you login to Identityserver the authentication cookie idsrv is stored in the browser. When the user logs out, the cookie is deleted. However, an attacker can steal the cookie and essentially use it even though the user has logged out.

This seems to be "normal" behavior for many identity providers too.

Question

Is it accepted behavior?

Is there anyway to detect that the user has logged out and that the idsrv cookie value (token) is no longer valid? Should we for example implement IAuthenticationSessionValidator to keep track of the users that are signed out? Or is this something that should belong to the application by using the id_token session_state claim?

jhougen
  • 21
  • 1
  • Is this ticket relevant for your question? https://github.com/IdentityServer/IdentityServer3/issues/2921 – Arve May 03 '17 at 16:49
  • No. There are two cookies stored one in my application and one in the idsrv. If I copy the cookie in idsr and logout centrally calling idsr endsession endpoint I am logged out and I see that the cookie is deleted, then I can paste my cookie into idsr using for example edit cookie I am logged in again. I belive that a session id (maybe the id_token sid claim) should be bind to the token stored in the cookie and it should be validated. This is often handled by frameworks like in .Net session management. But for me it seems like when moving towards federated authentication it has been forgotten. – jhougen Jul 04 '17 at 17:22

1 Answers1

0

According to OWASP ASVS requirement 3.2 Sessions should be invalidated on user logout it should not be possible to use the same cookie after logging out of the application. This also is the case if using other identity providers like ADFS and AAD.

jhougen
  • 21
  • 1