0

I've been able to subclass DefaultTokenReplayCache and make it work in my MVC application. This correctly detects tokens that would be replayed from the IDP to the RP by Fiddler or by pressing the Back arrow and resubmitting.

My intent now is to prevent cached replays when the FedAuth cookie is present, and that session has already signed out.

For example:

DefaultTokenReplayCache correctly determines whenever this response is replayed:

POST http://127.0.0.1:2600/Account/SignIn HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E; MS-RTC EA 2)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Content-Length: 6679
Host: 127.0.0.1:2600
Pragma: no-cache

wa=wsignin1.0&wresult=%3Ct%3ARequest .....

However, if I sign out, the following session CAN be replayed

GET http://127.0.0.1:2600/ HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E; MS-RTC EA 2)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: 127.0.0.1:2600
Pragma: no-cache
Cookie: FedAuth=77u/PD94bWwgd......

Question

How can I ensure that WIF will no longer permit a particular FedAuth cookie once that session has been signed out?

makerofthings7
  • 60,103
  • 53
  • 215
  • 448

2 Answers2

0

You need to add a tokenReplayDetection into the identityConfiguration element on the relying party.

<system.identityModel>
    <identityConfiguration ...>
        <tokenReplayDetection enabled="true"/>
        ...

-Atli

Atli Steinn
  • 11
  • 3
0

How are you signing-out? You typically need to call FederatedAuthentication.WSFederationAuthenticationModule.SignOut

that will clear all FedAuth cookies. Notice that this will not clear any other cookies you might set in your app.

Eugenio Pace
  • 14,094
  • 1
  • 34
  • 43
  • 1
    I am doing things exactly as you describe, and yes, the cookies are clearing, however it is possible to press the back arrow in my kiosk browser (or simply use Fiddler to replay) and the signed out session becomes active/valid again. I think the issue is that I need to verify active FedAuth cookies and disallow "closed" sessions – makerofthings7 Oct 31 '11 at 18:01