WebSecurity: Old cookies can still authenticate users after they have logged out and their session's been abandoned.

aspnet / AspNetWebStack

ASP.NET MVC 5.x, Web API 2.x, and Web Pages 3.x (not ASP.NET Core)

Other

858 stars 354 forks source link

WebSecurity: Old cookies can still authenticate users after they have logged out and their session's been abandoned. #243

Closed Nomenator closed 5 years ago

Nomenator commented 5 years ago

The steps to reproduce:

Log in to the application, receive the authentication cookie.
Save the cookies externally, outside of the browser.
Log out.
Clear cookies and browser cache.
Check that you are not logged into the application.
Apply the old cookies from step 2 to the browser.
You are now an authenticated user.

Application code for testing this.

blowdart commented 5 years ago

Yes, this has always been the case, and will continue to be the case.

Authentication is not linked to session by design. if an attacker is in the position to steal your cookie from your machine then frankly they're in a position to monitor your username and password as you type them.

Later versions of ASP.NET identity address this with security stamp rotation, and that approach can be used in your own code to address this problem if you think it's an issue