1

I have a fully working web app made with MVC5 and Aspnet Identity (local accounts + cookie based auth). We ran a security audit in the site and the results showed that our site is vulnerable to session hijacking. The steps to reproduce the vulnerability are the following:

1 Log in with a valid user 2 Copy the cookie value from request 3 Log out 4 Request any protected page adding the copied cookie to the request headers

Even though the browser deletes the cookie in the browser and the user is logged out succesfully, THE COOKIE VALUE IS STILL VALID. In other words, what our client's security department is asking for is to MAKE THE COOKIE INVALID SERVER SIDE.

So far I tried to change the security stamp of the cookie in the logout controller but the cookie is still valid.

Here´s my auth configuration, set to expire the token 24 hours after the initial login

app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Account/Login"),
                Provider = new CookieAuthenticationProvider
                {
                    // Enables the application to validate the security stamp when the user logs in.
                    // This is a security feature which is used when you change a password or add an external login to your account.  
                    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                        validateInterval: TimeSpan.FromDays(1),
                        regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
                }
            });

Here´s my logoff controller

[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult LogOff()
{
   string userId = User.Identity.GetUserId();
         AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
            UserManager.UpdateSecurityStampAsync(userId);
            return RedirectToAction("Index", "Home");
}

Right now, the result is the same: anyone can use the cookie to impersonate the original loggedin user after that user logoff.

What I expect to accomplish is to log out and make that specific cookie value to be invalid server side so no one can use it after that logout. In case the user doesn't explicitly logoff, that cookie should be invalid 1 day later.

l_degaray
  • 63
  • 9
  • There is no perfect defense for cookie/session-hijacking - because you can't trust the client. The best you can do is use HTTP-only cookies and serve your site over HTTPS. Also consider setting a Same-Site policy (but this can break things like users following links in e-mail messages and other applications). – Dai Sep 28 '19 at 00:23
  • Already implemented those things in the production server, but the security policies demanded by the client are very strict and this is an actual requirement. I have a couple ideas of how I can solve this but I want to explore solutions that dont involve writing custom controllers/filters – l_degaray Sep 28 '19 at 00:33
  • you can track user session. For instance, you can store logoff time, if the user uses the cookies in 24 hours from the logoff time, then simply reject the request. after 24 hours, the record is deleted. You'll need also to handle user inactivity, and browsers, IP Address. It won't be perfect but it'll at least make it harder to reuse the cookies. – iSR5 Sep 28 '19 at 01:19

0 Answers0