[security] FormsAuthentication.SignOut() not deleting auth cookie

Question

[security] FormsAuthentication.SignOut() not deleting auth cookie

Labib Mezghanni 1

Hello,

I'm facing an issue with the FomrsAuthentication, after signOut() the AuthCookie still exists even though expired, which causes security breach on all requests.

        FormsAuthentication.SignOut();
        Session.Abandon();
        HttpCookie adAuthCookie = FormsAuthentication.GetAuthCookie(FormsAuthentication.FormsCookieName, false);
        adAuthCookie.Expires = DateTime.Now.AddYears(-1);
        Response.Cookies.Add(adAuthCookie);

I'm using .NET 4.5.1.

AgaveJoe 22,631 Reputation points

2021-09-15T12:59:19.703+00:00

Forms authentication has been around a very long time. It's more likely that you have a logical or design issue.

Is there anyway you can provide a code sample that reproduces this issue?
Labib Mezghanni 1 Reputation point

2021-09-15T13:05:10.2+00:00
Thnak you for your fast reply @AgaveJoe

In fact to reproduce the issue we used burp suite. we just get the request and then logout off the application and resend the request.

In the logout process we have this code

FormsAuthentication.SignOut(); Session.Abandon(); HttpCookie adAuthCookie = FormsAuthentication.GetAuthCookie(FormsAuthentication.FormsCookieName, false); adAuthCookie.Expires = DateTime.Now.AddYears(-1); Response.Cookies.Add(adAuthCookie);
AgaveJoe 22,631 Reputation points

2021-09-15T17:56:46.477+00:00

In fact to reproduce the issue we used burp suite. we just get the request and then logout off the application and resend the request.

These results are expected if I understand the steps to reproduce this test. It sounds like you are sending a valid cookie and token back to the server. In this case, the request should be authorized.

If you want to invalidate a specific user cookie an token then it is up to you to design and write code to handle this new feature. For example create a new guid when the user logs in. store the guid in the cookie and a database table. Compare the two guids on each request. Update the guid stored in the database to a new guid when the user signs out. Now if the same request is sent, the guids will not match.

AgaveJoe 22,631 Reputation points

2021-09-15T12:59:19.703+00:00

Forms authentication has been around a very long time. It's more likely that you have a logical or design issue.

Is there anyway you can provide a code sample that reproduces this issue?
Labib Mezghanni 1 Reputation point

2021-09-15T13:05:10.2+00:00

Thnak you for your fast reply @AgaveJoe

In fact to reproduce the issue we used burp suite. we just get the request and then logout off the application and resend the request.

In the logout process we have this code

FormsAuthentication.SignOut(); Session.Abandon(); HttpCookie adAuthCookie = FormsAuthentication.GetAuthCookie(FormsAuthentication.FormsCookieName, false); adAuthCookie.Expires = DateTime.Now.AddYears(-1); Response.Cookies.Add(adAuthCookie);
AgaveJoe 22,631 Reputation points

2021-09-15T17:56:46.477+00:00

In fact to reproduce the issue we used burp suite. we just get the request and then logout off the application and resend the request.

These results are expected if I understand the steps to reproduce this test. It sounds like you are sending a valid cookie and token back to the server. In this case, the request should be authorized.

If you want to invalidate a specific user cookie an token then it is up to you to design and write code to handle this new feature. For example create a new guid when the user logs in. store the guid in the cookie and a database table. Compare the two guids on each request. Update the guid stored in the database to a new guid when the user signs out. Now if the same request is sent, the guids will not match.

Answer 1

Hi @Labib Mezghanni ,
Maybe you can add clear session cookie and check the configuration of the web.config file.
And how do you configure cookies, can you provide the signin code?
You can refer to the code below:

FormsAuthentication.SignOut();  
Session.Abandon();  
// clear authentication cookie  
HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");  
cookie1.Expires = DateTime.Now.AddYears(-1);  
Response.Cookies.Add(cookie1);  
// clear session cookie   
SessionStateSection sessionStateSection = (SessionStateSection)WebConfigurationManager.GetSection("system.web/sessionState");  
HttpCookie cookie2 = new HttpCookie(sessionStateSection.CookieName, "");  
cookie2.Expires = DateTime.Now.AddYears(-1);  
Response.Cookies.Add(cookie2);  
FormsAuthentication.RedirectToLoginPage();

If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our  documentation  to enable e-mail notifications if you want to receive the related email notification for this thread.

Best regards,
Lan Huang

[security] FormsAuthentication.SignOut() not deleting auth cookie

1 answer

Activity