0

Background / Context:

Take any out of box ASP.NET Core template with user logins enabled. You may use external login providers google, facebook, msft etc. as well. Alternatively, just clone this sample web application: https://github.com/dotnet-architecture/eShopOnWeb

Test:

  1. Login to the test website created. (test user name we used : neel)
  2. Record any authorized web request using Fiddler or web developer tools etc. We recorded /basket request of eShopOnWeb sample website which shows personalized shopping cart of the logged in user.
  3. Logout.
  4. Close browser.
  5. Open website in guest mode. (do not login). You may choose a different browser altogether.
  6. Replay step 2. (This uses exact same headers containing cookies, token etc.)

Observation: This successfully returns shopping cart items of the user neel.

I am faced with two questions:

  1. Is this a login related vulnerability? I think it is!! Shouldn't the token expire (session destroy) with logout?
  2. If this is a vulnerability, how to fix it? Anti-forgery token comes built in with Identity, but it doesn't seem to help.
Ravi M Patel
  • 2,905
  • 2
  • 23
  • 32
  • If it's a template, it may need code added to secure the application. It's a template for a reason, it's not going to necessarily do everything you need it to right out of the box. When you logout, is the logout code destroying cookies and expiring tokens? You're basically doing the logic of a user logs in as a user, then logs out and then goes into the site as a guest. They still are a real user, so why should it not recognize that? How would this be a security issue unless a man in the middle stole their token and used it to purchase things under their account? – Ryan Wilson Apr 02 '21 at 14:12
  • @RyanWilson Destroying cookies is something I will have to look into. As the template comes with login functionality implemented, I'm not sure if the logout action is not destroying cookies. About your user related question, it seems you have misunderstood. Why should my Amazon shopping cart visible to a guest user? – Ravi M Patel Apr 02 '21 at 14:17
  • @RyanWilson, no shopping cart items are stored in db. I have specifically mentioned that we can retrieve from a different browser too. – Ravi M Patel Apr 02 '21 at 14:18
  • I'm speculating on possible reasons. But it sounds like as you are monitoring via fiddler and using the same headers and token that the token has not been set as expired on logout. It treats the request as being made by login 1 since you are still passing all the same info in your request. I would look at the logout functionality and see if it is setting the token to expired. – Ryan Wilson Apr 02 '21 at 14:21
  • If you are using JWTs you may find this post helpful - [invalidating-json-web-tokens](https://stackoverflow.com/questions/21978658/invalidating-json-web-tokens) – Ryan Wilson Apr 02 '21 at 14:28
  • Cookies in ASP.NET are usually stateless, so you can't revoke them once issued, they can only expire. You can change the user's security stamp, which will have the effect of revoking all active sessions for that user. Whether you want that is a decision for your application, as is whether you consider it to be a security problem for your application that cookies can be reused even after sign out. – Nat Wallbank Apr 02 '21 at 14:47
  • The alternative is that you implement some session management yourself, which would allow you to revoke any tokens / session IDs on sign out. – Nat Wallbank Apr 02 '21 at 14:48

0 Answers0