asp.net mvc3 authentication - asp.net

Is there any solution for redirect user to login page, when cookie expires?
I create formsauthenticationticket and cookie. Expiration is set on 10minutes.
When expiration is over, and user doesn't make any request 20-minutes, and after that,
clicks he on some link, he would be redirected to login page and log in again.
I have HttpModule in assembly, which is referenced in web project.
In this module I have PreRequestHandlerExecute() event,
where I control on every request, if the user is authenticated and refresh timeout for cookie.
But If the user is not authenticated, he would be redirect to login page.
Is there any solution for this? I know about AuthorizeAttribute, but is there any other way to do this?
THANKS

Once the user's cookie has expired it won't be sent in the request, so you have no way of knowing who is a new user and who is a user who's cookie has expired because neither user will send a cookie with their page request.
One workaround is to set the cookie to 10 mins, but use the Meta Refresh tag to redirect to the login page after 9 mins 50 seconds. Note: the login page would need to log the user out too, otherwise it would refresh the session again.

Related

Fix Session Fixation flaw in ASP.Net

A hybrid webforms/mvc asp.net application using .Net Framework 4.7 has been tagged with the "Session Fixation" vulnerability in a Veracode dynamic scan. What this means is that Veracode gets the login page, alters the SessionId cookie (ASP.NET_SessionId), and then posts with a valid userid and password to do the login. ASP.Net logs in the user, but takes this altered SessionId cookie and continues to use it; that behavior of using that injected SessionId value is the flaw.
In other words, when Veracode gets the page the SessionId cookie might be "abc123". Veracode changes that cookie to "def456" and posts back. ASP.Net logs in the user and uses "def456" as the SessionId henceforth.
Per Veracode I must invalidate the ASP.Net_SessionID cookie created prior to a successful login. This is easy to do of course, I can simply reset the ASP.NET_SessionId cookie when the user successfully logs in. The problem is, this causes the user to be redirected right back to the login page. So what happens is this:
User submits the login page.
Server-side, if the login is successful, I reset the ASP.NET_SessionId to some new value (by calling SessionIDManager.SaveSessionID(), which in turn simply resets the ASP.Net_SessionID cookie).
The user is redirected to the application home page, and then immediately redirected back to the login page
The application uses forms authentication, with a webforms login page. The login page uses the asp.net Login control. In the "OnAuthenticate" event of this control I have code like this:
protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
{
bool b = Membership.Validateuser(Login1.UserName, Login1.Password);
if(b)
{
e.Authenticated = true;
SessionIDManager mgr = new SessionIDManager();
string newId = mgr.CreateSessionID(Context);
mgr.SaveSessionID(Context, newId, out bool redirected, out bool cookieAdded);
}
}
This runs without error. ASP.net redirects the user to the application home page. But then asp.net immediately redirects the user from the application home page back to the login page.
Is there any way to alter that SessionId cookie so that
Veracode's injected SessionId cookie value is abandoned.
The user stays authenticated and is not simply redirected back to the login page.
I've attempted running the code that alters the SessionId in various page events (PreInit, Load, etc) and all of them have the same result--the user is redirected back to the login page.
Please do not mark this question as already answered. There are several answers to this question on SO, all of which advise re-setting the SessionId cookie as I do above, and all of which have comments pointing out that this does not actually work.
After considerable back-and-forth the final reply from a Veracode consultant was the following, basically saying "don't worry about it." This is the reply from Veracode:
I also looked further into the dynamic findings from your application. The session ID that we are finding session fixation on, is not the ID you are using for authentication, and so the risk for your application is low. An attacker would not be able to gain access to an authenticated session of a user by controlling just the ASP.NET_SessionId cookie. By protecting the .ssoIIMAuth cookie your application is already preventing this sort of attack.

Submit POST data when user logged in using forms authentication

I have asp.net application that use forms authentication to control access. Let's imagine we have file page.aspx with form in it. When I press search ( submit button in the form) then POST data is sent to that script and I get search results. However if user logged out, then pressed back button in browser and then pressed search, user is redirected to login page. After login,I get that page, but no POST data is sent to that page. Is there any easy way to fix that!
POST data cannot be sent when redirecting with HTTP redirect response.
So you have to change the flow of the application do detect that the user is logged out ealier:
Check login status with ajax request before submitting form
Store submited data in cookie to recreate the POST after logging in
Store submitted data in session before redirecting to login page
The forms authentication cookie is not the session cookie so if you still have your user session you might be able to store the search parameters in your user session and reload them after login.

Keep Session in Sync with FormsAuthentication

When a user logs in through my login page, I authenticate them using FormsAuthentication, and set some Sessions that holds user specific info, like UserID and RoleID. I set site content based on these values.
The problem is when the session expires and the user is still signed in - things are messed up, because the session is null but the user is still signed in.
How can I keep them in sync with each other, so the session only expires if they're signed out or vs.
Thank you.
When the session has ended (Session_OnEnd) in global.asax, you can kill the forms authentication cookie. Doing so will redirect the user to the default page (or login page depending on how you set it up) upon any subsequent requests. You should also kill the authentication cookie when user has manually logged out - same effect.
To kill the authentication cookie:
FormsAuthentication.SignOut();

ASP.NET Persist POST data through login redirect

I have a site (SiteA) using ASP.NET membership. One thing that it must do is allow the end user at a separate site (SiteB) to launch a new browser window to a page at SiteA with POST data attached to prefill the page.
If the user is logged into SiteA, then the launch from SiteB works and the page is prefilled. However, if the user is not logged in, SiteA's authentication redirects to the login page first. After logging in the user is redirected to the final page, but the POST data is lost and the form is not prefilled.
How can I persist the POST data to the final page?
Sounds like a job for the Cookie Monster. Either set a cookie or a session state var.
cookies
where i learned cookies
session state variables

ASP.Net Session Not Invalidated After Logout

I have a ASP.Net application in my login page I call
FormsAuthentication.SignOut
Session.Abandon()
Session.Clear()
however the Appscan is taking the ASPXAUTH cookie value then after logout is able to re-inject the cookie value to gain access to protected pages.
Microsoft has acknowledged a problem but only offers advice not a fix - http://support.microsoft.com/kb/900111
Can someone provide examples how to fix this issue
One option is to have a UserSession table and insert a record into this table when the user logs in. When you logout either delete the entry or mark it invalid. On the secure pages, verify that a UserSession exists for the logged in user and redirect to a login page if it does not.
set a session value on login, clear it on log out and check it on each access to a secure page. The session value is not sent to the client and as such the client/attacker can not manipulate it.
walkthrough without session value cleared on exit :
user visits login page - generates viewstate
man-in-the-middle-hacker collects viewstate
user submits login form - generates auth cookies
man-in-the-middle-hacker collects auth cookies
user logs out - server clears users cookies
man-in-the-middle-hacker continues to use previous credentials completely unhindered
game over
walkthrough wit session value cleared on exit :
user visits login page - generates viewstate
man-in-the-middle-hacker collects viewstate
user submits login form - generates auth cookies
man-in-the-middle-hacker collects auth cookies
user logs out - server clears users cookies and sets its internal session flag value to null
man-in-the-middle-hacker continues to use previous credentials but because the session he is working with now has the value null server redirects to login page.
win!

Resources