How to mitigate replay attacks for ASP.Net application? - asp.net

We use Oauth2 authentication with Okta for our Classic ASP.Net MVC website. After the user logs out of the application, he can "replay" an old request with all of the original cookies and still get access to the website. How can I prevent this security hole?
I have successfully developed a custom ITicketStore for my ASP.Net Core websites to solve this problem (similar to https://ml-software.ch/posts/implementing-a-custom-iticketstore-for-asp-net-core-identity), but I cannot find a similar concept to ITicketStore for Classic ASP.Net applications.

It turns out that there is an equivalent to ITicketStore in Owin, which is called IAuthenticationSessionStore. You can find an example at: https://rhastastudio.wordpress.com/2016/07/19/owin-authentication-and-session-store/

Related

MFA Provider for ASP .NET Web Forms with Forms Authentication

I'm looking for a good MFA provider to be incorporated to a legacy Web Forms application that uses Forms Authentication for security. It seems most of the MFA providers I see (such as Authy) are built around ASP .NET Identity. I'm trying to look for a solution that doesn't scratch the legacy application much... migrating the legacy application to ASP .NET Identity will be a nightmare. I've tried looking into Authy, Auth0, PingID and Okta and they all seem to be overkill for our use case. I'm trying to find an MFA provider that can work alongside Forms Authentication.
I use https://www.twilio.com/ for my MFA. I am only using the SMS functionality though, so essentially you need to hook up their sms code with your form authentication process. The only difference is that you don't have the identity component (which I highly suggest that you implement). Check out the C# code here for more info on the SMS API procedure: https://www.twilio.com/docs/sms/quickstart/csharp-dotnet-framework.
I understand that the following is for MVC, but you can convert the code to Web Forms as well: https://www.twilio.com/docs/sms/tutorials/two-factor-authentication-csharp-mvc.
The above example also uses the identity framework, but just take a look at the implementation of using SMS and you can migrate the concept into your web form.

Single signon and ADFS3.0

I have been tasked to set up Single Signon for asp.net application (SAAS) using IIS server with a client who has ADFS3.0 for providing identity credentials. the users authenticated will be allowed to log in to the web application but i have been going through a lot of information as how to set up service provider files as the application is already running.
what settings and where do i need to configure them. any help will be greatly appreciated.
The "modern" way to do this is by using OWIN.
You will have to change your application as per Use the OWIN Security Components in ASP.NET to Implement Web Sign On with ADFS.
Then add your RP to ADFS and you are good to go.
For completeness. the "old" way to do this is to use WIF as in How To: Build Claims-Aware ASP.NET MVC Web Application Using WIF.

Authentication and authorization - new to security

Need to develop a Web application that will be used to authenticate and authorize internal and external users to log and then re-route to web applications for the organization. The login application should be able to provider smooth integration with any future applications that needs a secured authentication.
Should I be using WIF - Claims based Identity/ADFS or asp.net Role membership provider to develop this app.? Or is there any other approach which will help achieve this?
I've been working on an asp.net site with WIF for several months now. I like that WIF is very flexible, but the documentation is poor. Check out the discussions on SO about WIF.

Single signon betwen Asp .Net and Sharepoint Portal

I need to implement a SSO between a custom Asp.Net application and a SharePoint site. The asp .net Application has custom authentication and the sharepoint has windows authentication. I have already read about using forms authentication in both applications but i can not use forms authentication in Sharepoint.
Is this possible? Any tips and tricks?
Zorro,
Sharing a Forms Based Authentication (FBA) authorization cookie would be one of the cheaper and easier routes to investigate/implement, but you've indicated that FBA isn't an option for you. That said ...
... without knowing more about the custom authentication mechanism you have in place on your ASP.NET application, it's very difficult to offer a good suggestion. CptSkippy's question (regarding reconciliation) is a good one, as that becomes the basis for what's feasible and what isn't. If your app and site don't share a common user base, then SSO becomes a real challenge.
I don't know how feasible it is for you and your situation, but Microsoft's ISA 2006 server does an admirable job when used in an SSO role. It supports a wide variety of publishing and authentication mechanisms, and it plays quite nicely with SharePoint leveraging both NTLM and Kerberos authentication:
http://technet.microsoft.com/en-us/library/bb794722.aspx
The big question, again, is your custom ASP.NET application. If you've got some flexibility there, ISA may be a option.
For what it's worth!
Have you checked Microsoft Single Sign-On Service?

Asp.Net MVC - Mixed Auth Mode

I'm looking for the most reliable way to use both Windows and Form based auth IN ASP.NET MVC 2 I know how to do it in webforms, but because I cannot adjust the permissions (In IIS) on a per file basis in MVC. Im struggling to transfer the concept.
Any suggestions? Links?
There are following post:
http://aspadvice.com/blogs/rjdudley/archive/2005/03/10/2562.aspx
http://aspadvice.com/blogs/rjdudley/archive/2005/03/10/2561.aspx
http://msdn.microsoft.com/en-us/library/ms972958.aspx
All describe it for classic asp.net. But the concept should be transferable to mvc.
I implemented this using mvc and a custom membership provider.
The whole application is running with aspnet anonymous account. That means that your files must be accessible to this account. On my machine I had to give read access to this IIS account.

Resources