How to invalidate ".AspNet.Cookies" cookie on logout?

Abhishek, Burra 30 Reputation points
2024-07-16T11:05:41.7266667+00:00

I have a .net application deployed to Azure. A penetration test finding called "Session Not Invalidated After Logout" is found.

When an API Get request is sent along with .AspNet.Cookies while user is logged in, a successful response is received as expected. Even after the user logs out, response is received when requested with same old cookie.

Please help how to invalidate .AspNet.Cookies cookie after log out. I have already tried with Session.Clear, Session.Abandon, setting -1 day to expire, removing cookies and nothing works.

.NET
.NET
Microsoft Technologies based on the .NET software framework.
3,919 questions
ASP.NET
ASP.NET
A set of technologies in the .NET Framework for building web applications and XML web services.
3,507 questions
{count} vote

Accepted answer
  1. Bruce (SqlWork.com) 66,706 Reputation points
    2024-07-16T15:35:23.0033333+00:00

    deleting the cookie won't help, because this is just a request to the browser and the penetration test will ignore the request. you must add additional validation to the cookie. add a validation token, that is checked during cookie validation (the server saves in a persistent store). when you want to delete the cookie remove the validation token from the server, so if the cookie is reposted, it is not valid.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. SurferOnWww 3,201 Reputation points
    2024-07-17T01:48:55.6833333+00:00

    Even after the user logs out, response is received when requested with same old cookie.

    Is your authentication system different form the ASP.NET Identity? If you use the ASP.NET Identity, the authentication cookie will be deleted during the logout operation and no "same old cookie" will be sent to the web server after logout:

    Logout

    The response header includes the authentication cookie with expires=Thu, 01-Jan-1970 00:00:00:

    enter image description here

    Redirect

    When browser requests the url shown as the Location according to HTTP 302 response above, the authentication cookie will be deleted by the bowser and will not be sent to the server:

    enter image description here

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.