Form Authentication – Cookie replay attack – protection

by

A simple idea is to generate a random guid and store it in the user data section of the cookie. Then, when a user logs out, you retrieve the guid from the user data and write it in a server side repository with an annotation that this “session” has ended.

Then, have an http module that checks upon every request whether or not the guid from the userdata section of your cookie doesn’t point to a ended session. If yes, terminate the request with a warning that expired cookie is reused.

This comes with a cost of an additional lookup per request.

More Related Contents:

  1. Can some hacker steal a web browser cookie from a user and login with that name on a web site?
  2. What are all the user accounts for IIS/ASP.NET and how do they differ?
  3. What is the App_Data folder used for in Visual Studio?
  4. How serious is this new ASP.NET security vulnerability and how can I workaround it?
  5. X-Frame-Options Allow-From multiple domains
  6. Asp.net Identity password hashing
  7. Session Fixation in ASP.NET
  8. How to restrict folder access in asp.net
  9. Redirect to a page with endResponse to true VS CompleteRequest and security thread
  10. How to Customize ASP.NET Web API AuthorizeAttribute for Unusual Requirements
  11. Cannot use a leading ../ to exit above the top directory
  12. How to limit page access only to localhost?
  13. Is there a way to keep a page from rendering once a person has logged out but hit the “back” button?
  14. Why do ASP.NET JSON web services return the result in ‘d’?
  15. Web authentication state – Session vs Cookie?
  16. Biggest advantage to using ASP.Net MVC vs web forms
  17. Accessing Session Using ASP.NET Web API
  18. Adding ASP.NET MVC5 Identity Authentication to an existing project
  19. ASP.NET Custom user control to add dynamically
  20. Capturing SOAP requests to an ASP.NET ASMX web service
  21. Caching specific Javascript and CSS files
  22. How to encrypt one entry in web.config
  23. WCF: System.Net.SocketException – Only one usage of each socket address (protocol/network address/port) is normally permitted
  24. Best way to parse JSON data into a .NET object
  25. Change textbox’s css class when ASP.NET Validation fails
  26. Disable the postback on an
  27. How to use Castle Windsor with ASP.Net web forms?
  28. HttpCookieCollection.Add vs HttpCookieCollection.Set – Does the Request.Cookies collection get copied to the Response.Cookies collection?
  29. Enable/disable asp.net validator controls within a specific “ValidationGroup” with jQuery?
  30. Is there a recommended way to return an image using ASP.NET Web API

Leave a Comment