asp.netauthenticationwebformsreplay

Asp.Net forms authentication replay attack


We are getting hit with a scenario where a user logs off and previous good session cookie ( including sliding time window) is replayed and our code jumps right to the requested page as the user. We are not maintaining session state in the server. This Asp.Net forms authentication.

I was thinking that the only solution to this is to add columns to the server to track a users log status. Not real hard but requires code, db, and deployment to accomplish.

Is this the best way to handle this? Since we will have to crack into code anyway, we could add client request ip's and other stuff to the cookie. But the current spoof is to reuse the clients machine as well as the session.

Any thoughts?

Thanks in advance

bille

Javascript code that checks for inactivity -> logout

$j(document).ready(function () {

            /******************************************************************
            Auto-logout after the user's session times out
            ******************************************************************/

            var timeOut = (_TIMEOUT - 5) * 60;
            var setTimeout = function () {
                $j(".session-timeout").stopTime().oneTime(timeOut + "s", function () {
                    $j(this).show();
                    $j(this).oneTime("300s", function () {
                        window.location = $j(this).find("a.logout").attr("href");
                    });
                });
            };
            $j(".session-timeout a.refresh-session").click(function () {
                NextGen.CHS.UtilitiesWebService.RefreshSession(
                    function () {
                        $j(".session-timeout").fadeOut();
                        setTimeout();
                    },
                    function () {
                    }
                );
            });

            setTimeout();
        });


Solution

  • I ended up fixing this by tracking users log in/out state and activity timestamps. When a replayed session is received, we still decrypt the forms ticket and find valid "session" information. This identifies the user, we then check if logged out and if so redirect to log in page.

    For cases where the user kills the browser without logging out, the activity time stamp is used in a sql job that sweeps the user table logging out inactive users.

    weidson