Prevent authentication bypass via response manipulation with ASP.NET Core Identity implementation

Aditi.Rachna 21 Reputation points
2022-04-20T05:45:51.457+00:00

Web application has asp.net core identity implementation, in security testing of our application vulnerability is found-authentication bypass via response manipulation.

For eg: User1 logs in into the system with valid user credentials, and the cookie for that user is copied and the User1 logs out. User1 tries to login with incorrect password ,intercepts the request and uses User1 valid cookie to login into the system and User1 is logged in even with incorrect password.

How to destroy the cookie and invalidate the session for asp.net core identity implementation?

Asp.net Core identity,.net 5.0,asp.net core mvc,C#

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,157 questions
C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
10,234 questions
0 comments
Accepted answer
  1. Zhi Lv - MSFT 32,011 Reputation points Microsoft Vendor
    2022-04-21T10:15:57.947+00:00

    Hi @Aditi.Rachna ,

    As AgaveJoe said, you could use the SecurityStamp Property and the SecurityStampValidatorOptions.ValidationInterval Property to make the logout user's cookie invalid.

    In the Asp.net core Identity Logout.cshtml.cs page (if you can't find this page from the Identity Areas, see Scaffold Identity in ASP.NET Core projects), in the OnPost method, find the current user and update the Security Stamp:

    195050-image.png

    Then, in the Startup.cs file, add the following code in the ConfigureServices method: 

        services.Configure<SecurityStampValidatorOptions>(options =>  
    {  
        options.ValidationInterval = TimeSpan.FromSeconds(10);  
    });

    Then, I will use the Postman to check whether the cookie is invalid or not after the user logout. The result like this:

    The Privacy action method was add the [Authorize] attribute, so it needs user login, after click the logout button, even through the postman sends the request with previous cookie, it still show the login page.

    195141-1.gif

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best regards,
    Dillion

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AgaveJoe 26,191 Reputation points
    2022-04-20T10:54:54.757+00:00

    How to destroy the cookie and invalidate the session for asp.net core identity implementation?

    Update the security stamp (GUID) in the AspNetUsers table when the user logs out. The authentication contains a copy of the security stamp.

    IdentityUser<TKey>.SecurityStamp Property

    Also there is a security stamp validator that checks the security stamp every 30 minutes by default. This is a configuration setting you can change if 30 minutes does not meet your requirement(s).

    SecurityStampValidatorOptions.ValidationInterval Property

    0 comments