0

This is a follow-up question to Is Forms Authentication as described in the Nancy docs susceptible to session hijacking?

I understand now how Nancy Form Authentication works and also the idea behind it, thanks to Steven Robbins' answer.

However, for my application that approach is not sufficient. It must not be possible to gain eternal access for an attacker if he manages to steal the auth cookie once. Thus, I'm currently investigating possibilities to switch to a session-based approach to authentication, so I can invalidate sessions when the user logs out and also after a fixed amount of time.

Nice thing about Nancy, such things can be customized!

My question is, does it make sense to reuse Nancy.FormsAuthentication for that purpose? One solution I have in mind is making the user identifier only temporarily valid. That way I would delete the GUID identifier from the user database when the user logs out, and create a new one everytime a user logs in.

I'm asking because the docs state:

It is also important to know that the identifier should be treated as permanent for the user that it was generated for and will be reused across requests and application sessions.

Are there any unwanted side-effects when I ignore that and make the identifier non-permanent?

Community
  • 1
  • 1
theDmi
  • 17,546
  • 6
  • 71
  • 138

1 Answers1

0

Yes and no.

If you change it each time the user logs in then you are effectively logging the user out.

You could create a Session / Identity table which allows the same user to login multiple times (assuming that the browser is different) which would allow you to manage the timeout / extending the timeout on each authentication.

That would require no changes to the Forms Auth, you would simply change the IUserMapper to authenticate against your Session / Identity table rather than the user directly.

(hope all that makes sense)

Phill
  • 18,398
  • 7
  • 62
  • 102