4

I am creating a web application in asp.net mvc which is using forms authentication to authenticate users. I am using a HTTP proxy tool "burp" to capture an authenticated users authenticated cookie. After that I logout from the application. Now I am using the captured authenticated cookie to send a request to my server and the server is treating the request as an authenticated request(even if logout for that user from my browser). Could any one let me know where I am going wrong in my log out code?

Below is my log out code of the application

  public virtual ActionResult LogOff()
    {
        FormsAuthentication.SignOut();
        Session.Abandon();

        // clear authentication cookie
        HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");
        cookie1.Expires = DateTime.Now.AddYears(-1);
        Response.Cookies.Add(cookie1);

        // clear session cookie 
        HttpCookie cookie2 = new HttpCookie("ASP.NET_SessionId", "");
        cookie2.Expires = DateTime.Now.AddYears(-1);
        Response.Cookies.Add(cookie2);

        HttpCookie cookie3 = new HttpCookie("__RequestVerificationToken", "");
        cookie3.Expires = DateTime.Now.AddYears(-1);
        Response.Cookies.Add(cookie3);

        HttpCookie cookie4 = new HttpCookie(".ASPXAUTH", "");
        cookie4.Expires = DateTime.Now.AddYears(-1);
        Response.Cookies.Add(cookie4);


        return RedirectToAction(MVC.Account.Login());
    }

Below is the screen shot of burp tool to send authenticated request which gives success response

Below is the screen shot of burp tool to send authenticated request which gives success response

Abhishek
  • 411
  • 8
  • 19
  • I see for `cookie3` and `cookie4` you are expiring `cookie2` property again?? – Guruprasad J Rao Jun 29 '15 at 06:22
  • Can you show code for sending request using captured authenticated cookie your server and when you are doing this action? – Guruprasad J Rao Jun 29 '15 at 06:28
  • Can you post your code where you are setting the cookie: FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe); – Ganesh Todkar Jun 29 '15 at 06:35
  • 2
    @GuruprasadRao I am not sending the authenticated request via code. The HTTP proxy tool 'Burp' I used to capture the request, has feature called repeater, I am using that to sent the request. I have added the screen shot for the same in my question – Abhishek Jun 29 '15 at 06:50
  • @GaneshTodkar this is my code for setting authentication cookie FormsAuthentication.SetAuthCookie(username, true); – Abhishek Jun 29 '15 at 06:50

1 Answers1

9

After a lot of search I came to the result there is no such proper way to invalidate an authenticated cookie. The authenticated cookie ".ASPXAUTH"(the default name of authentication cookie) basically just contains the userName, when it was generated and the expiration details. It does not really tells if the user is really authenticated.

If user logs out this cookie gets removed from the browser but if this cookie is kept somewhere captured it will still serve as an authenticated request.

The only solution which I found was to add some extra bit of unique data with this cookie and store that data somewhere on server(likely database) and compare that unique data in each authentication request from the database. And when the user logs out clear that unique data from the database, this will ensure that if an authenticated request captured by some means hits the server after the user logs out does not get authenticated on the server.

Abhishek
  • 411
  • 8
  • 19