使旧会话 Cookie 无效 - ASP.Net 身份 [英] Invalidate Old Session Cookie - ASP.Net Identity
问题描述
一家外部公司对我正在开发的 ASP.NET MVC 5 应用程序进行了一些渗透测试.
他们提出的问题描述如下
<块引用>与会话管理链接的 cookie 称为 AspNet.ApplicationCookie.手动输入时,应用程序对用户进行身份验证.即使用户从应用程序注销,cookie 仍然有效.这意味着,旧会话 cookie 可用于在无限时间范围内进行有效身份验证.在插入旧值的那一刻,应用程序接受它并用新生成的 cookie 替换它.因此,如果攻击者获得对现有 cookie 之一的访问权限,则将创建有效会话,其访问权限与过去相同.
我们使用的是 ASP.NET Identity 2.2
这是我们在帐户控制器上的注销操作
[HttpPost][验证AntiForgeryToken]公共操作结果注销(){AuthenticationManager.SignOut();return RedirectToAction("登录", "帐户");}在startup.auth.cs
app.UseCookieAuthentication(new CookieAuthenticationOptions{AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,LoginPath = new PathString("/Account/Login"),ExpireTimeSpan = TimeSpan.FromHours(24.0),提供者 = 新的 CookieAuthenticationProvider{//使应用程序能够在用户登录时验证安全标记.//这是一项安全功能,在您更改密码或将外部登录名添加到您的帐户时使用.OnValidateIdentity = SecurityStampValidator.OnValidateIdentity(验证间隔:TimeSpan.FromMinutes(1.0),regenerateIdentityCallback: (manager, user) =>user.GenerateUserIdentityAsync(manager),getUserIdCallback: (id) =>(Int32.Parse(id.GetUserId())))}}); 我原以为该框架会处理使旧会话 cookie 失效的问题,但浏览 Owin.Security 源代码似乎没有.
如何在注销时使会话 cookie 失效?
编辑 Jamie Dunstan 的建议,我添加了 AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie)); 但没有任何区别.我仍然可以退出应用程序,在 Fiddler 中克隆之前经过身份验证的请求,并使其被应用程序接受.
我更新的注销方法
[HttpPost][验证AntiForgeryToken]公共异步任务注销(){var user = await UserManager.FindByNameAsync(User.Identity.Name);AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);等待 UserManager.UpdateSecurityStampAsync(user.Id);return RedirectToAction("登录", "帐户");} 确保按照 Jamie 的正确建议使用 AuthenticationManager.Signout(DefaultAuthenticationTypes.ApplicationCookie);.
能够再次使用同一个 cookie 登录是设计使然.Identity 不会创建内部会话来跟踪所有登录的用户,如果 OWIN 获得命中所有框的 cookie(即来自前一个会话的副本),它会让您登录.</p>
如果您在更新安全标记后仍然可以登录,则 OWIN 很可能无法获得 ApplicationUserManager.确保您在 app.UseCookieAuthentication
app.CreatePerOwinContext(ApplicationUserManager.Create); 或者,如果您正在使用 DI,请从 DI 中获取 ApplicationUserManager:
app.CreatePerOwinContext(() => DependencyResolver.Current.GetService()); 同时将 validateInterval: TimeSpan.FromMinutes(30) 减少到更低的值 - 我通常会花几分钟的时间.这是 Identity 将 auth-cookie 中的值与数据库中的值进行比较的频率.比较完成后,Identity 会重新生成 cookie 以更新时间戳.
An external company has done some penetration tests on the ASP.NET MVC 5 application i'm working on.
An issue that they raised is described below
A cookie linked with session Management is called AspNet.ApplicationCookie. When entered manually,the application authenticates the user. Even though the user logs out from the Application,the cookie is still valid. This means,the old session cookie can be used for a valid authentication within unlimited timeframe. In the moment the old value is inserted, the application accepts it and replaces it with a newly generated cookie. Therefore, if the attacker gains access to one of the existing cookies, the valid session will be created,with the same access as in the past.
We're using ASP.NEt Identity 2.2
Here's our logout action on the account controller
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult LogOff()
{
AuthenticationManager.SignOut();
return RedirectToAction("Login", "Account");
}
in startup.auth.cs
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
ExpireTimeSpan = TimeSpan.FromHours(24.0),
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator
.OnValidateIdentity<ApplicationUserManager, ApplicationUser, int>(
validateInterval: TimeSpan.FromMinutes(1.0),
regenerateIdentityCallback: (manager, user) =>
user.GenerateUserIdentityAsync(manager),
getUserIdCallback: (id) => (Int32.Parse(id.GetUserId())))
}
});
I would have thought that the framework would have taken care of invalidating an old session cookie but browsing through the Owin.Security source code it appears not.
How do i invalidate the session cookie on logout?
edit on Jamie Dunstan's Advice i've added AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie); but then has made no difference. I can still still log out of the application, clone a previously authenticated request in Fiddler, and have it accepted by the application.
Edit : My updated Logoff method
[HttpPost]
[ValidateAntiForgeryToken]
public async Task<ActionResult> LogOff()
{
var user = await UserManager.FindByNameAsync(User.Identity.Name);
AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
await UserManager.UpdateSecurityStampAsync(user.Id);
return RedirectToAction("Login", "Account");
}
Make sure you use AuthenticationManager.Signout(DefaultAuthenticationTypes.ApplicationCookie); as correctly suggested by Jamie.
Being able to login with the same cookie again is by design. Identity does not create internal sessions to track all logged-in users and if OWIN gets cookie that hits all the boxes (i.e. copies from the previous session), it'll let you login.
If you still can login after the security stamp is updated, most likely OWIN can't get a hold of ApplicationUserManager. Make sure you have this line just above the app.UseCookieAuthentication
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
Or if you are using DI take ApplicationUserManager from DI:
app.CreatePerOwinContext(() => DependencyResolver.Current.GetService<ApplicationUserManager>());
Also reduce the validateInterval: TimeSpan.FromMinutes(30) to lower value - I usually settle for couple minutes. This is how often Identity compares values in auth-cookie to the values in the database. And when the comparison is done, Identity regenerates the cookie to update timestamps.
这篇关于使旧会话 Cookie 无效 - ASP.Net 身份的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
