question

KamranBashir-9687 avatar image
1 Vote"
KamranBashir-9687 asked WoodsDouglas-8246 commented

azure ad b2c ineffective log out mechanism

Lets suppose you are sign in and you have and controller account and view index
In steps...

  1. so when first time render https://abc.com/account/index, now you capture this request into fiddler.
    you get response http 200 and some data lets suppose "hello world"

  2. Next you call logout end point in your web app and its run following code mentioned below

    IEnumerable authTypes = HttpContext.GetOwinContext().Authentication.GetAuthenticationTypes();
    HttpContext.GetOwinContext().Authentication.SignOut(authTypes.Select(t => t.AuthenticationType).ToArray());
    Request.GetOwinContext().Authentication.GetAuthenticationTypes();

in fiddler it show it has called something
https://login.microsoftonline.com/common/oauth2/logout?.....

  1. close browser

  2. repeat step 1


again you get response http 200 and some data lets suppose "hello world" instead of http 401

that is very frustrated....

azure-active-directory
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@KamranBashir-9687,
Are you trying to login to the application using the same user account that you have used to login to the machine? Reason for this question is, I am suspecting that this might be due to seamless SSO. For example, if your device is registered/joined to Azure AD, a PRT (Primary Refresh Token) is issued to the device that helps performing Seamless SSO if the User account is present in same Azure AD.

0 Votes 0 ·

It is after login (Famous Microsoft login sign-in page).
alt text

let suppose you application has a default/index page. When this default/index page is loaded, we capture all browser loading data into fiddler. Like we normally do. lets call this request for the default/index page as X.
Now you close the browser.
Next thing we do we fire same request X on fiddler ( by right click on the request X replay Reissue Request (click))

And we get data back from the application with http 200 instead of http 401


0 Votes 0 ·
1.jpg (28.3 KiB)

important: what we have at the moment in portal.
B2C_1_Signin_Policy - Properties --> Single sign-on configuration --> disabled

even it is enabled does not matter.

0 Votes 0 ·

1 Answer

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered WoodsDouglas-8246 commented

@KamranBashir-9687 Replaying request using fiddler is not the correct way to test. I tried the same for https://portal.azure.com/signin/index and getting 200 OK. I also tested after editing the request and removing tokens and cookies from the request and still receiving HTTP 200 response code. I would suggest you to test the logout experience via web browser and capture a fiddler to see if you are getting 401 rather than replaying the request via fiddler.



Please "mark as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@amanpreetsingh-msft after logginout from web app, it works 100 % for browser and also for check request joureny in fiddler for browser , it all works :)


Only the first message in thread with steps does not work.


I am surprised how come it is not picked up by Microsoft identity team.


1 Vote 1 ·

This is an issue that has been raised by out pen tester.

It appears that when the logout is sent to B2C, it does correctly remove the session cookies in the browser, but does NOT invalidate the session on the B2C server, so anyone who made a copy of the session cookies before the logout, can use a replay attack to signon to the app. This can be mitigated by setting the session timeout to 15 mins (which is the lowest setting possible).

There is an expectation that if you logout, then session tokens should be invalid from that point on.

Is there any plan to address this issue?

1 Vote 1 ·
BK-2234 avatar image BK-2234 WoodsDouglas-8246 ·

Same issue here. Raised by our pen tester.

0 Votes 0 ·

Can you share what vulnerability they are reporting? The CWE code would help.

-1 Vote -1 ·
Show more comments