TechQA.

Clear cookeis ASP.NET Core, how to secure endpoint against brute force attack

54 views Asked by At

I'm using .net core 2.2 for MVC application. For the authentication, we have used LDAP. Also, I'm using Microsoft Indentity Server. Now we performed the security testing. Attacker can run the brute force attack using cookies. Because cookies still valid even the user logged out the application. Here is piece of code.

await _userManager.UpdateSecurityStampAsync(user);
await _signInManager.SignOutAsync();

Scenario that we tried. We copied the cookies and logged out the application. Then in browser we hit the https://localhost:44339/users and intercept the old cookies and I was able to view the list of user without login hte application. Also we tried to clear the cookies on logout. using below piece of code.

HttpContext.Response.Cookies.Delete("Identity");

But this solution is not working to clear the cookies. Because UpdateSecurityStampAsync update the timestamp of AspNetUsers table. But we are not using that. We have updated the timestamp in other application and that is working. Because in that application we are using Identity Server authentication. Here is the startup code for cookies.

services.ConfigureApplicationCookie(options =>
            {
                options.Cookie.Name = "Identity";
                options.Cookie.HttpOnly = true;
                options.Cookie.MaxAge = TimeSpan.FromMinutes(sessionMinutes);
                options.Cookie.Expiration = TimeSpan.FromMinutes(sessionMinutes);
                options.Cookie.IsEssential = true;
                options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Lax;
                options.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.SameAsRequest;
                options.LoginPath = "/account/signin";
                options.LogoutPath = "/account/signout";
                options.AccessDeniedPath = "/account/forbidden";
                options.SlidingExpiration = false;
                options.ReturnUrlParameter = "returnurl";
            });

Please share the solution

Added the below code in startup.

services.ConfigureApplicationCookie(options =>
            {
                options.Cookie.Name = "Identity";
                options.Cookie.HttpOnly = true;
                options.Cookie.MaxAge = TimeSpan.FromMinutes(sessionMinutes);
                options.Cookie.Expiration = TimeSpan.FromMinutes(sessionMinutes);
                options.Cookie.IsEssential = true;
                options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Lax;
                options.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.SameAsRequest;
                options.LoginPath = "/account/signin";
                options.LogoutPath = "/account/signout";
                options.AccessDeniedPath = "/account/forbidden";
                options.SlidingExpiration = false;
                options.ReturnUrlParameter = "returnurl";
            });

and also added the below code on logout the application

await _userManager.UpdateSecurityStampAsync(user);
await _signInManager.SignOutAsync();
asp.net-core-mvc ldap asp.net-identity session-cookies cookiestore
Original Q&A
0

There are 0 answers

Related Questions in ASP.NET-CORE-MVC

Related Questions in LDAP

Related Questions in ASP.NET-IDENTITY

Related Questions in SESSION-COOKIES

Related Questions in COOKIESTORE

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions