question

LabibMezghanni-2368 avatar image
0 Votes"
LabibMezghanni-2368 asked LanHuang-MSFT answered

[security] FormsAuthentication.SignOut() not deleting auth cookie

Hello,

I'm facing an issue with the FomrsAuthentication, after signOut() the AuthCookie still exists even though expired, which causes security breach on all requests.


         FormsAuthentication.SignOut();
         Session.Abandon();
         HttpCookie adAuthCookie = FormsAuthentication.GetAuthCookie(FormsAuthentication.FormsCookieName, false);
         adAuthCookie.Expires = DateTime.Now.AddYears(-1);
         Response.Cookies.Add(adAuthCookie);


I'm using .NET 4.5.1.

dotnet-aspnet-generaldotnet-aspnet-mvcdotnet-entity-framework
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Forms authentication has been around a very long time. It's more likely that you have a logical or design issue.

Is there anyway you can provide a code sample that reproduces this issue?

0 Votes 0 ·

Thnak you for your fast reply @AgaveJoe

In fact to reproduce the issue we used burp suite. we just get the request and then logout off the application and resend the request.

In the logout process we have this code

      FormsAuthentication.SignOut();
      Session.Abandon();
      HttpCookie adAuthCookie = FormsAuthentication.GetAuthCookie(FormsAuthentication.FormsCookieName, false);
      adAuthCookie.Expires = DateTime.Now.AddYears(-1);
      Response.Cookies.Add(adAuthCookie);
0 Votes 0 ·
AgaveJoe avatar image AgaveJoe LabibMezghanni-2368 ·

In fact to reproduce the issue we used burp suite. we just get the request and then logout off the application and resend the request.

These results are expected if I understand the steps to reproduce this test. It sounds like you are sending a valid cookie and token back to the server. In this case, the request should be authorized.

If you want to invalidate a specific user cookie an token then it is up to you to design and write code to handle this new feature. For example create a new guid when the user logs in. store the guid in the cookie and a database table. Compare the two guids on each request. Update the guid stored in the database to a new guid when the user signs out. Now if the same request is sent, the guids will not match.




0 Votes 0 ·

1 Answer

LanHuang-MSFT avatar image
0 Votes"
LanHuang-MSFT answered

Hi @LabibMezghanni-2368,
Maybe you can add clear session cookie and check the configuration of the web.config file.
And how do you configure cookies, can you provide the signin code?
You can refer to the code below:

 FormsAuthentication.SignOut();
 Session.Abandon();
 // clear authentication cookie
 HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");
 cookie1.Expires = DateTime.Now.AddYears(-1);
 Response.Cookies.Add(cookie1);
 // clear session cookie 
 SessionStateSection sessionStateSection = (SessionStateSection)WebConfigurationManager.GetSection("system.web/sessionState");
 HttpCookie cookie2 = new HttpCookie(sessionStateSection.CookieName, "");
 cookie2.Expires = DateTime.Now.AddYears(-1);
 Response.Cookies.Add(cookie2);
 FormsAuthentication.RedirectToLoginPage();

If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our  documentation  to enable e-mail notifications if you want to receive the related email notification for this thread.

Best regards,
Lan Huang


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.