9

How do I invalidate a session?
Repro:

  1. Login using a normal account
  2. Export cookies associated with my site
  3. Click the logout button
  4. Confirm that I'm logged out of the site, the cookie is cleared
  5. Import the cookies copied from step 2
  6. I'm now logged into the site again without having to go through the login process

Is there anyway to make the cookies previously copied invalid?

I'm using the standard MVC5 logoff function. 

    public ActionResult LogOff()
    {
        AuthenticationManager.SignOut();
        return RedirectToAction("Index", "Home");
    }


    private IAuthenticationManager AuthenticationManager
    {
        get
        {
            return HttpContext.GetOwinContext().Authentication;
        }
    }

Also tried signing out just the cookie. 

AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);

Thought changing the SecurityStamp would also work but since the claim hasn't changed, the stamp doesn't either. 

UserManager.UpdateSecurityStampAsync(user.UserName);

I've also tried this function which the documentation says should invalidate the session. http://msdn.microsoft.com/en-us/library/system.web.sessionstate.httpsessionstate.abandon(v=vs.110).aspx

Session.Abandon();
Bill Shihara
  • 375
  • 7
  • 17

2 Answers2

1

I didn't know of the cookie issue you described, but I needed to need to let users Invalidate sessions, from a desktop app. So the users on the desktop can kick someone off the web app. I did this by creating a GUID when they log in and storing the GUID in my database and a cookie. Then I override AuthorizeAttribute.AuthorizeCore to check the GUID on my database is still valid. My table with the GUID has a column IsValid, and I change IsValid to false when they log out, or someone from the desktop kicks them off.

If you had a similar sessions table with a KeyId and IsValid columns, and override AuthorizeAttribute.AuthorizeCore. You could check the IsValid column in your database vs relying on cookies.

I hope that gives you an idea.

Ben-Coden
  • 126
  • 1
  • 14
-1

I don't know how to "invalidate" the cookie itself, but if what you need is to invalidate the requests that re-use the cookie, then you can track the status of the session, and check this status after request authentication.

For tracking the session:

public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)
{
     ...
     await SignInAsync(user, model.RememberMe);
     Session["IsValid"] = true;         // Tells that the session is valid 
     ...
}

public ActionResult LogOff()
{          
     AuthenticationManager.SignOut();
     Session["IsValid"] = false;       // The session is no longer valid
     ...
}

And in the Global.asax

protected void Session_End(Object sender, EventArgs e)
{
     Session["IsValid"] = false;      // Invalidate the session here too
}


protected void Application_AcquireRequestState(Object sender, EventArgs e)
{
     if (Request.IsAuthenticated &&                          // The cookie tells that the request is authenticated...
        !(bool) HttpContext.Current.Session["IsValid"])      // but the session status is NOT valid
     {
           // Handle requests that re-use the auth cookie
     }
}
Ahmad Ibrahim
  • 1,915
  • 2
  • 15
  • 32