0

I am running some security checks on an applicationI have built using ASP.net MVC 4.

I am currently using a web debugger to compose unathorize posts during testing.

My application enforces a policy where data can only be modified by the user that added it.

I use methods similar to the follwing the check the current user Id

  if (item.AddedByUser != WebMatrix.WebData.WebSecurity.CurrentUserId)
            {
                throw new UnauthorizedException();
            }

However, when I tried duplicating a previous succesfull POST (using an older 'ASP.NET_SessionId') I found that the WebMatrix.WebData.WebSecurity.CurrentUserId method returned the userid of the user that was active during the previous session, rather than the userId of the currently active user.

This looks like a potential security hole to me.

Does anyone know how this happens?

EDIT

I am calling the Sessioon.Abandon() method and clearing the ASP.NET_SessionId cookie as part of my LogOff method as follows

    public virtual ActionResult LogOff()
    {


        WebSecurity.Logout();

        Session.Abandon();

        Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
        Response.Cookies.Add(new HttpCookie(".ASPXAUTH", ""));
        Response.Cookies.Add(new HttpCookie("__RequestVerificationToken", ""));

            return RedirectToAction("Index", "Home");


    }

However, the session still appears to be 'resusable' if a previous sessionid is passed as part of the POST

jjc99
  • 3,559
  • 4
  • 22
  • 21
  • Was the previous Session active less than 20 minutes earlier? Maybe you could checkout `Session.Abandon` to kill off the session? [SessionID](http://support.microsoft.com/kb/899918) – LakshmiNarayanan Apr 09 '14 at 11:52
  • Hi LakshmiNarayanan, the session was active less than 20 minutes ago, but the user logged off and I did call Session.Abandon() in my LogOff() method. – jjc99 Apr 09 '14 at 11:57
  • I suppose the sessionIDs are being persisted in cookies, inspite of abandoing the session. You could consider rewriting the SessionID cookie after the Session.Abandon() is called, as suggested [here](http://stackoverflow.com/questions/3716298/sessionid-is-still-the-same-after-session-abandon-call). – LakshmiNarayanan Apr 09 '14 at 12:22
  • I appear to be already clearing the ASP.NET_SessionId cookie in my logoff method. My edit above shows my logoff method – jjc99 Apr 09 '14 at 13:13

0 Answers0