Reputation: 13
Deleting/invalidating server side authentication cookie/ticket
I have a web application in Asp.net using FormAuthentication(.ASPXAUTH). I am capturing one of the requests through the Burp suite and sending it to the repeater and manipulating some parameters in the repeater. When I logout from the application and send the request through the burp's repeater the changes are done even though I have logged out from the application since Burp suite has captured all the auth and session cookies. Is there any way I could invalidate the captured cookie on the server-side so that the burp suite will not able to manipulate using the captured request? I tried all the possible things like Session.Clear()/Session.Abandon(); and nothing worked out, even invalidating the session but nothing.
Upvotes: 0
Views: 722
Answers (1)
Reputation: 672
I don't believe this is possible without doing something like storing a nonce server-side, issuing that along with the cookie and making authentication depend on a valid cookie + matching nonce. You'd then cycle the nonce when the user logs out and issue the new one with a new cookie the next time they log in.
This question goes into some detail about how Forms authentication works and why you'd need to do some server side tracking to achive what you want:
Upvotes: 0
Related Questions
- Resetting authentification cookie
- How do I manually delete a cookie in asp.net MVC 4
- invalidate aspx authentication cookie
- How to kill .ASPXAUTH cookie at server end?
- How to invalidate a http session after logout
- How to remove cookie from server side in c#
- ASP.Net Cookieless: How to delete authentication cookie
- asp.net delete cookie
- How to Delete Authentication Cookie
- Expire all forms authentication cookies