I have an old MVC system in use that a Whitehat company is complaining about after penetration testing.
The scenario is as follows:
User logs in with credentials.
User takes note of .ASPXAUTH and ASP.Net_SessionId cookies and their values
User logs off
User then uses F12 to add the cookies and their values
Navigate to a page that would normally not allow as user is not logged in, but it works OK when it should not
On logout I am deleting the cookies - that is not the problem.
The problem is that the 'values' remain within the server somehow and can be reused.
The code I use for logoff is as follows:
FormsAuthentication.SignOut();
// Drop all the information held in the session
Session.Clear();
Session.Abandon();
// clear authentication cookie
HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");
cookie1.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie1);
// clear session cookie
HttpCookie cookie2 = new HttpCookie("ASP.NET_SessionId", "");
cookie2.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie2);
return RedirectToAction("Index", "Home");
Related
In the spring boot project, when the user logouts, we invalidate the cookie with this block of code:
//name = "Token"
//value = "expired"
//age = 0
private void setExpiredCookie(HttpServletResponse response, String name, String value, int age) {
Cookie cookie = new Cookie(name, value);
cookie.setSecure(true); //Send cookie to the server only over an encrypted HTTPS connection
cookie.setHttpOnly(true); //Preventing cross-site scripting attacks
cookie.setPath("/"); //Global cookie accessible every where
cookie.setMaxAge(age); //Deleting a cookie. I Passed the same other cookie properties when you used to set it
response.addCookie(cookie);
}
However, after logout, I tested my website with an application for catching the request and resending it through the repeater, with exact values, such as token and payload.
I resent a request, for example, to change the email address, and this request, despite logging out, is valid for 15 minutes (for the life of the original cookie).
What am I missing? Because I am properly deleting and protecting cookies.
You are just creating new cookie.
You should invalidate cookie with session id, which was given to you when you authenticated. Simply use this:
HttpSession session = httpServletRequest.getSession(false);
session.invalidate();
I have tried to check sessions existence till user login in Joomla with JFactory::getSession(); but it's not working.
Also JFactory::getUser(); this method shows user ID after session lifetime expired.
Please let me know if any solutions are there to validate Joomla sessions.
You can use the following to get the Joomla session
$Jsession = JFactory::getSession();
$session = $Jsession->get('myVar');
and then perform a check if you wish, like so:
if($session) {
// session exists
}
else {
// session doesn't exist
}
As for showing the user ID, the ID will only show if the users is logged in as getUser() retrieves the current user object.
By logic, once the users logged out, they cann't enter the system again till they login again.
I use some session data and cookies of the logged in users, and i want to delete this session data and cookies when the users logged out.
I use
delete_cookie("cookie_name");
$this->session->sess_destroy();
and also set the $config['sess_time_to_update'] ro 0
but this is didn't work, the session data and cookies didn't deleted.
What i can do to delete all session data and cookies once the user log out.
$this->session->sess_destroy();
should delete all the session data. How do you know that the session data wasn't deleted. just after sess_destroy(); try to echo one of the session data.
echo $this->session->userdata('item_name');
same way use echo after deleting a cookie like this-
echo get_cookie('cookie_name');
I believe, it's the logic of how user keep logged in. You are probably not checking whether the session exists for logged in user. You should check session and cookie for every page(method) the user visit. The best way to do this is to put the checker function in the constructor.
Try this -
http://php.net/manual/en/function.setcookie.php
// unset cookies
if (isset($_SERVER['HTTP_COOKIE'])) {
$cookies = explode(';', $_SERVER['HTTP_COOKIE']);
foreach($cookies as $cookie) {
$parts = explode('=', $cookie);
$name = trim($parts[0]);
setcookie($name, '', time()-1000);
setcookie($name, '', time()-1000, '/');
}
}
http://www.php.net/manual/en/function.setcookie.php#73484
Possible Duplicate:
Can I change the FormsAuthentication cookie name?
I have multiple MVC3 sites that create FormsAuthentication tickets and store them in cookies.
Login:
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, userName, DateTime.Now, DateTime.Now.AddMinutes(15), true, String.Empty);
string encTicket = FormsAuthentication.Encrypt(ticket);
HttpCookie faCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket);
In Application_AuthenticateRequest:
HttpCookie authCookie = Request.Cookies[FormsAuthentication.FormsCookieName];
Surely this will cause issues if multiple sites are saving to the same cookie?
Is there any harm in having a different cookie name for each app or is there another recommended way to do it?
It will only cause issues if those multiple sites are on the same domain.
You can set the cookie name in the web.config - see Can I change the FormsAuthentication cookie name?
I am using forms authentication for an MVC website and I am having a problem adding Cookies, I am using an Encrypted Forms Authentication Ticket and adding it to the Cookies but when inspecting my cookies it is there (by name "AuthCookie") but the value is always null and the Expires date is always set to "01/01/0001 00:00"... here is my Login controller code:
[HttpPost]
public ActionResult Index(Login login, string returnUrl)
{
if (ModelState.IsValid)
try
{
User user = UserManager.Login(login.Username, login.Password);
string serialUser = Serialize.SerializeToString(user);
string ticket = FormsAuthentication.Encrypt(
new FormsAuthenticationTicket(1, login.Username, DateTime.Now, DateTime.Now.AddMinutes(20.0), login.RemeberMe, serialUser));
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, ticket) { Expires = DateTime.Now.AddMinutes(20) };
Response.Cookies.Add(cookie);
if (String.IsNullOrEmpty(returnUrl))
return RedirectToAction("Index", "Home");
else
return Redirect(returnUrl);
}
catch (LoginFailedException)
{
ModelState.AddModelError("", "Login failed: Invalid Username or Password.");
return View(login);
}
else
return View(login);
}
At first I assumed the encrypted string was not working due to the length but I have tested this by creating a simple test cooke and I am getting the same result.
Can anyone help
When you call Redirect() or RedirectToAction(), you're terminating the response so the cookies aren't sent to the client. Some solutions:
Use TempData to persist the information across the direct, writing the Cookie in the action you redirect to.
Take a look at the way Forms Authentication cookie information is written in the NerdDinner code on CodePlex.
As mentioned in the comments, you can persist role information in Session. The recommendation to store the role information in Session and retrieve from Roles if not found would work, but I'd start by using the membership system as-is and performance tuning later if you see that it's a problem, rather than assuming it will be.