Background skip if you like
I am working on a .NET (4.5.2) web application which uses CookieAuthentication and OpenIdConnectAuthentication (integrated with Azure AD) provided by OWIN middleware.
A penetration test from the client has highlighted that, even after the user signs out, the cookie is still authorised and could therefore be used to submit requests. This is expected behavior, but I need to find a way around it.
I am attempting to implement the workaround in this related post, i.e. use the SecurityStampValidator.OnValidateIdentity method along with calling UserManager.UpdateSecurityStampAsync to effectively invalidate the cookie on sign out.
Code can provide more on request, if helpful
I have adding the CookieAuthenticationProvider with OnValidateIdentity within my ConfigureAuth method:
app.UseCookieAuthentication(new CookieAuthenticationOptions {
CookieName = "whatever",
Provider = new CookieAuthenticationProvider
{
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(1),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager)
),
},
});
I have also added UseTokenLifetime = false to the OpenIdConnectAuthenticationOptions as per this helpful post.
I plan on adding UserManager.UpdateSecurityStampAsync(User.Identity.GetUserId()); in the sign out process, but I've not got as far as testing that yet.
In case it is relevant, here is my sign in initiator:
Request.GetOwinContext().Authentication.Challenge(
new AuthenticationProperties { RedirectUri = Request.ApplicationPath },
OpenIdConnectAuthenticationDefaults.AuthenticationType);
My Expectation
As the SecurityStamp should not have changed, after the validateInterval (1 minute) everything should continue to work as normal (the user's existing cookie remains valid).
Result
The first request after > 1 minute from sign-in results in the following set-cookie response header being returned:
whatever=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
And therefore the user's cookie is removed and they are signed-out.
Question(s)
Is my expectation valid, or am I misunderstanding validateInterval? Is there a way I can get the above to work how I want it to? Is it possible that the SecurityStamp is being changed somewhere in the sign-in process without me realising, after the initial cookie is created?
