During a penetration test of our application, a ASP.NET MVC 5 (.NET Framework 4.7.2) web application, there was a security issue found. I'm trying to find a way to solve that issue.
This issue is about the build-in FormsAuthentication, which we use and the default behaviour of the Sliding expiration option of the FormsAuthentication. We currently have Sliding Expiration enabled and would like to keep it that way.
The issue is that the AuthenticationTicket gets renewed within the next request, when 50% of the time, configured via the 'Timeout' option, has already passed. See the Microsoft reference: https://learn.microsoft.com/en-us/dotnet/api/system.web.configuration.formsauthenticationconfiguration.slidingexpiration?view=netframework-4.8.1#system-web-configuration-formsauthenticationconfiguration-slidingexpiration
That means a new AuthenticationTicket will be generated and sent back to the client via the SET-COOKIE Header. Still, the old AuthenticationTicket is still valid and still can be used for requests to the server. This means there are more than one valid AuthenticationTicket. If you continue to do requests with the old AuthenticationTicket, on every Response you get a newly created AuthenticationTicket.
If that happens, a single user has multiple valid AuthenticationTickets and you can't tell which of them should be valid and which not. Which is a security risk from the perspective of the penetration testing company.
My idea to solve that was, to find a way to react if that new AuthenticationTicket got created by ASP.NET and store that on the server side. This means the user always can have just one valid Ticket and we could resolve that issue.
But apparently there is no way of reacting to that. The only event related to that I found is the FormsAuthentication_OnAuthenticate event, which is not helpful for this issue.
There is also the FormsAuthentication.RenewTicket method, which can be used and is actually internally used by the FormsAuthenticationModule. This methods checks if the tickets needs to be renewed (> 50% of timeout exceeded) and renews it if necessary. But in the FormsAuthenticationModule there is additionally to that method call a lot of custom code, which I don't like copy&paste into a custom solution, because I'm not the owner of the code and therefore don't know what it exactly is supposed to do. Source code of the FormsAuthenticationModule: https://referencesource.microsoft.com/#system.web/Security/FormsAuthenticationModule.cs
So, I also looked into the C# source code of the FormsAuthentication and FormsAuthenticationModule to find a way, as just described, but apparently the implementation is really closed and not open for reaction on that.
I'm looking for any recommendations or tips on how that could be handled. Thanks in advance!