如何跟踪过期的WIF fedauth cookie? [英] How to track expired WIF fedauth cookies?
问题描述
在尝试跟踪过期的WIF身份验证会话/cookie时,我遇到了一个有趣的问题.
I have an interesting problem with trying to keep track of expired WIF authentication sessions/cookies.
作为一点背景:该站点是MVC 3,使用Windows Identity Foundation(WIF),它与ADFS服务器具有信任关系作为STS.整个站点均受SSL保护. STS的令牌到期时间设置为60分钟.
As a bit of background: the site is MVC 3, uses Windows Identity Foundation (WIF) that has a trust with an ADFS server as an STS. The entire site is protected by SSL. The STS has the token expiry set to 60 minutes.
当用户手动退出时,我们只需在FedAuth模块上调用SignOut方法即可:
When a user signs out manually, we just simply call the SignOut method on the FedAuth module:
FederatedAuthentication.WSFederationAuthenticationModule.SignOut(false);
这当然会删除FedAuth cookie,但这是问题开始的地方.如果我用Fiddler捕获了这些cookie,则可以在它们的有效期内将它们重新呈现到该站点,并且仍然被视为已登录.
This of course removes the FedAuth cookies, but here's where the problem starts. If I capture those cookies with Fiddler, I can re-present them to the site within their expiry time and still be treated as logged in.
我意识到这是从接受fiddler作为代理的浏览器的特权位置执行的……但是客户担心那些未真正过期的auth cookie会带来重大的安全风险.他们不相信SSL可以充分保护站点,并且如果攻击者可以执行MITM攻击,则可以在用户认为自己已注销后使用这些cookie.
I realise that this is being performed from a privileged position of the browser having accepted fiddler as a proxy... but the customer is worried that those auth cookies not actually being expired presents a significant security risk. They're are not convinced that SSL protects the site sufficiently, and that if an attacker could execute an MITM attack, they could use those cookies after the user thinks they have logged out.
我已经解释过,如果它们在注销后容易受到攻击,则在登录过程中会受到攻击,但是他们不在乎...
I have explained that if they are vulnerable after log out, they are vulnerable during log in, but they don't care...
因此,我一直在寻找确保用户注销后将与该登录会话相关联的fedauth cookie视为过期的方法. WIF处理程序似乎没有内置的机制来跟踪过期的令牌,而且我还没有发现与此相关的任何其他信息.
So I have looked for ways to be sure that once a user logs off, the fedauth cookies associated with that logon session are treated as expired. The WIF handlers don't seem to have a built in mechanism for tracking expired tokens, and I have not found anything else related to this.
我想这实际上是一个更广泛的问题->通常如何检测过期的Cookie?有效的cookie是有效的cookie!
I guess that this is in fact a wider problem -> how to detect expired cookies in general? A valid cookie is a valid cookie!
最明显的解决方案是以某种方式注销后跟踪那些cookie,但我想尽可能避免使用自定义代码路由;作为一个菜鸟,许多安全性文献都说要避免对任何类型的会话机制进行自定义编码,因为您可能会弄错它!
The obvious solution is to track those cookies after logout somehow, but I'd like to avoid the custom code route if possible; as a noob, a lot of the security literature says to avoid custom coding any kind of session mechanics, as you will probably get it wrong!
有人知道ASP.NET中的任何标准解决方案吗?
Is anyone aware of any standard solutions in ASP.NET to this problem?
谢谢.
推荐答案
您并非没有保留最近撤销的令牌的服务器端列表.这就是为什么我们通常使用固有的到期时间以及HTTPS来防止令牌泄漏/被盗的原因.
You don't without keeping a server-side list of the tokens recently revoked. This is why normally we rely upon an inherent expiration as well as HTTPS to prevent the token from being leaked/stolen.
这篇关于如何跟踪过期的WIF fedauth cookie?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
