I have a web application that uses OWIN middleware for authentication. When logging out of the application the authorisation cookie remains valid. When signing out of the application the the HTTP response sets the auth cookie to:
Set-Cookie: B2BGatewayAuth=; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/
However if I manually invoke a web request again with the same B2BGatewayAuth cookie this works absolutely fine. I would not expect this as the cookie is never truly invalidated on Logging out of the application. This is a security concern as it is possible to repeat an existing HTTP request to an authenticated resource after a user has logged out of the application.
In the simplest example I can capture the Logout HTTP request which is to an authenticated resource using Fiddler / Burp Suite etc. and repeat this request over and over. This should not be possible as I would expect after using the SignOut method it should invalidate the auth cookie. I would expect after using the SignOut method, repeating the same Logout HTTP request it should have the same result as not providing any B2BGatewayAuth cookie but this doesn't appear to be the case.
I have explored similar questions such as: OWIN SignOut doesn't remove cookie but the solutions for this doesn't seem to work for me.
My Startup.cs cookie settings:
public void Configuration(IAppBuilder app)
{
var cookieName = GetAppSetting<string>("CookieName");
var cookieExpireMinutes = GetAppSetting<int>("CookieExpireMinutes");
var loginPath = GetAppSetting<string>("LoginPath");
var cookieAuthOptions = new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
CookieHttpOnly = true,
ExpireTimeSpan = TimeSpan.FromMinutes(cookieExpireMinutes),
SlidingExpiration = true,
CookieSecure = CookieSecureOption.SameAsRequest,
CookieManager = new SystemWebCookieManager(),
LoginPath = new PathString(loginPath),
CookieName = cookieName
};
app.UseCookieAuthentication(cookieAuthOptions);
}
Login method:
private void SignIn(UserData user, ClaimsIdentity claimsToAdd)
{
this.authenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
var identity = this.identityFactory.GetIdentity(user);
foreach (var claim in claimsToAdd.Claims)
{
identity.AddClaim(claim);
}
this.authenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = false }, identity);
this.SetGAEventTempData("Success");
}
Log out method:
public ActionResult LogOff()
{
authenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
LogInfo("Logged off.");
return RedirectToAction("Login", "Account");
}
