c# - Privilege Escalation & Session Hijacking in Identity MVC5 -


i using asp.net identity 2.0 authentication(owin middleware) in application. session hijacking: when login identity creates aspnet.applicationcookie.then,i copied aspnet.applicationcookie value.then logged out application.after logout,i creating cookie manually(aspnet.applicationcookie) , refresh redirects me home page.

privilege escalation: @ same time logged in user a.i copied(aspnet.applicationcookie) cookie , logged out.after logged in user b.i editing user b cookie , pasted user cookie , saved it.after refreshed browser can usera access , authentication.

i clearing session , and delete cookies when logged out.even asp.net identity(owin) generates new aspnet.applicationcookie each , every time.but still accepts old cookies , give me access.i don't know why? can 1 give me how invalidate old aspnet.applicationcookie after log out. code in startup.auth.cs

 public void configureauth(iappbuilder app)     {         // enable application use cookie store information signed in user         app.usecookieauthentication(new cookieauthenticationoptions         {             authenticationtype = defaultauthenticationtypes.applicationcookie,             loginpath = new pathstring("/account/login")         });         // use cookie temporarily store information user logging in third party login provider         app.useexternalsignincookie(defaultauthenticationtypes.externalcookie);       }

//this logout code

    public actionresult logoff ( )     {         //delete cookies while user log out         string[] mycookies = request.cookies.allkeys;         foreach ( var cookies in mycookies )         {             response.cookies[ cookies ].expires = datetime.now.adddays(-1);          }         request.getowincontext( ).authentication.signout(microsoft.aspnet.identity.defaultauthenticationtypes.applicationcookie);          // authenticationmanager.signout( );         session.clear( );         session.removeall( );         session.abandon( );         return redirecttoaction("loginpage", "account");     }

//this login controller code

 public async task<actionresult> login(loginviewmodel model, string returnurl)     {         if (modelstate.isvalid)         {             var user = await usermanager.findasync(model.username, model.password);             if (user != null)             {                 await signinasync(user, model.rememberme);                 return redirecttolocal(returnurl);             }             else             {                 modelstate.addmodelerror("", "invalid username or password.");             }         }          // if got far, failed, redisplay form         return view(model);     }

this design. allowing signed-in multiple browsers , log-out in browser have clicked "log-out" , not other browsers.

but on log-out can update securitystamp on user, , set security stamp validation period low period of time.

this change security stamp:

await usermanager.updatesecuritystampasync(user.id);

put in logout method.

and in startup.auth.cs modify usecookieauthentication in way:

app.usecookieauthentication(new cookieauthenticationoptions {     authenticationtype = defaultauthenticationtypes.applicationcookie,     loginpath = new pathstring("/account/login")     provider = new cookieauthenticationprovider     {         // enables application validate security stamp when user logs in.         // security feature used when change password or add external login account.           onvalidateidentity = securitystampvalidator.onvalidateidentity<applicationusermanager, applicationuser>(             validateinterval: timespan.fromminutes(1), // set low enough optimise between speed , db performance             regenerateidentity: (manager, user) => user.generateuseridentityasync(manager)),     } });

the drawback approach - when logout procedure not executed - nothing happens. , when logout happens, logs out other sessions.


Comments

Post a Comment

Popular posts from this blog

html - Outlook 2010 Anchor (url/address/link) -

i'm trying link specific pdf page msoutlook'10 or msword'10, #page=... anchor particularly useful , works fine elsewhere. unfortunately when click [ctr-k] in outlook or winword, links re-formatted assuming unc path. pdf file located on shared drive. using "file:" prefix links open pdf in adobe reader (outside of browser), , "http:" open inside browser. issue seem need open in browser "file:" prefix in order anchor work. know anchors work inside browser. outlook uses windows/explorer default program (based on file extension) seems open in adobe reader neglecting anchor. is aware of solution, link specific page or bookmark of shared-pdf ms outlook and/or winword link? common references: mailermailer.com/...anchor-tags-html-emails campaignmonitor.com/...anchor-links-in-email-newsletters/ stackoverflow.com/...anchor-in-pdf-document
Read more

javascript - Why does running this loop 9 times take 100x longer than running it 8 times? -

consider code: test = function() { } t = new test(); (var = 0; < 8; i++) { result = t instanceof test; } if change number of iterations 8 9 , loop take 100 times longer complete in latest version of firefox (41.0.1). tested on 2 different pcs , magic limit 8. here jsperf test used: http://jsperf.com/instanceof-8-times-vs-9-times does have idea why might happen? seems specific instanceof . not happen if else object, example check property. note: filed bugzilla bug this. jan de mooij mozilla team has posted details in bugzilla thread . here's simplistic interpretation of highly technical answers: in i < 8 case, firefox smart enough hoist result = t instanceof test; statement out of loop (according tests, doesn't seem omit altogether). in i < 9 case, apparently doesn't optimization . why? reason not clear, related fact 9 iterations threshold above function considered "hot" enough run through jit compiler. i < 8 cas...
Read more

Getting gateway time-out Rails app with Nginx + Puma running on Digital Ocean -

following this guide setup app on digital ocean droplet, not working. site not loading , it's throwing: "gateway time-out". the puma server works, since ps aux | grep puma prints: root 15878 0.0 0.4 376832 2168 ? sl 12:50 0:00 puma 2.13.4 (unix:///var/www/myapp/shared/tmp/sockets/myapp-puma.sock) [20150930164940] root 15881 0.0 0.7 903676 3692 ? sl 12:50 0:06 puma: cluster worker 0: 15878 [20150930164940] root 24654 0.0 0.1 11748 916 pts/2 s+ 18:00 0:00 grep --color=auto puma my nginx config: user root; worker_processes 1; events { worker_connections 1024; } http { upstream puma { server unix:///var/www/myapp/shared/tmp/sockets/myapp-puma.sock; } server { listen 80; server_name myapp.com; root /var/www/myapp/current/public; access_log /var/www/myapp/current/log/access.log; error_log /...
Read more