CODEWITHSUNDEEP
asp.netsessioncookiesforms-authenticationformsauthenticationticket
chpoit
chpoit

Reputation: 319

FormsAuthentication.SignOut() does not expire the FormsAuthenticationTicket

First off, this is not a problem with the ASP.NET session not expiring, we clear, abandon, and delete every cookie on logout.

This is about FormsAuthentication.SignOut() not expiring the ticket when called and allowing someone who copies the content of the cookie to manually create the cookie somewhere else and still be able to acces everything that is meant to now be blocked off after the logout.

Here is the gist of our logout method:

HttpContext.Current.User = null;
HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.NoCache);

HttpContext.Current.Session.Clear();
HttpContext.Current.Session.Abandon();
HttpContext.Current.Session.RemoveAll();
HttpContext.Current.Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));

FormsAuthentication.SignOut();
FormsAuthentication.RedirectToLoginPage();

We also let ASP manage the creation of the ticket and the authentication via our Web.config and whatever else manages FormsAuthentication. Here is what is in the config:

<authentication mode="Forms">
    <forms name="COOKIENAME" loginUrl="~/PAGE_THAT_REDIRECTS_TO_LOGIN.aspx" defaultUrl="~/PAGE_THAT_REDIRECTS_TO_LOGIN_OR_PROPER_PAGE_IF_LOGGED_IN.aspx" cookieless="UseCookies" timeout="60" />
</authentication>

Now, why is this an issue? simple, it's a security concern as if someone gets the cookie and keeps it alive, they can access whatever the user matching the cookie can, even though the user has been disconnected.

Is there is a proper way to force the FormsAuthenticationTicket to expire? I tried decrypting it, but everything is readonly, and I also tried to create a new expired ticket and encrypting it, but it doesn't overwrite the old one.

Thanks

Versions: .NET 4.5.1, ASP.NET (not Core)

Upvotes: 2

Views: 645

Answers (1)

Agni
Agni

Reputation: 448

The basic problem is with Microsoft .net Core cookie Managemnt, it does not handle the lifetime of cookies correctly.

I had face this issue several times, and mostly with .Net core now.

To solve this issue we need to override their cookie management class, and implement ITicketStore interface.

https://github.com/aspnet/Security/blob/master/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationOptions.cs#L136

Below article can help you with detail implementation.

https://mikerussellnz.github.io/.NET-Core-Auth-Ticket-Redis/

I hope it helps.

Upvotes: 0

Related Questions