他们提出的问题如下所述
A cookie linked with session Management is called AspNet.ApplicationCookie. When entered manually,the application authenticates the user. Even though the user logs out from the Application,the cookie is still valid. This means,the old session cookie can be used for a valid authentication within unlimited timeframe. In the moment the old value is inserted,the application accepts it and replaces it with a newly generated cookie. Therefore,if the attacker gains access to one of the existing cookies,the valid session will be created,with the same access as in the past.
我们正在使用ASP.NEt Identity 2.2
这是我们在帐户控制器上的注销操作
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult logoff()
{
AuthenticationManager.SignOut();
return RedirectToAction("Login","Account");
}
在startup.auth.cs中
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,LoginPath = new PathString("/Account/Login"),ExpireTimeSpan = TimeSpan.FromHours(24.0),Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator
.OnValidateIdentity<ApplicationUserManager,ApplicationUser,int>(
validateInterval: TimeSpan.FromMinutes(1.0),regenerateIdentityCallback: (manager,user) =>
user.GenerateUserIdentityAsync(manager),getUserIdCallback: (id) => (Int32.Parse(id.GetUserId())))
}
});
我原本以为该框架会处理一个旧的会话cookie无效,但浏览Owin.Security源代码却没有.
如何在注销时使会话cookie无效?
编辑Jamie Dunstan的建议我添加了AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);但后来没有任何区别.我仍然可以退出应用程序,在Fiddler中克隆先前经过身份验证的请求,并让应用程序接受它.
[HttpPost]
[ValidateAntiForgeryToken]
public async Task<ActionResult> logoff()
{
var user = await UserManager.FindByNameAsync(User.Identity.Name);
AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
await UserManager.UpdateSecurityStampAsync(user.Id);
return RedirectToAction("Login","Account");
}
解决方法
能够再次使用相同的cookie登录是设计的. Identity不会创建内部会话来跟踪所有已登录的用户,如果OWIN获得了击中所有框的cookie(即上一个会话中的副本),它将允许您登录.
如果您在更新安全标记后仍然可以登录,则很可能OWIN无法获取ApplicationUserManager.确保在app.UseCookieAuthentication上方有这一行
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
或者,如果您正在使用DI,请从DI获取ApplicationUserManager:
app.CreatePerOwinContext(() => DependencyResolver.Current.GetService<ApplicationUserManager>());
还要将validateInterval:TimeSpan.FromMinutes(30)减少到更低的值 – 我通常会在几分钟内解决.这是Identity将auth-cookie中的值与数据库中的值进行比较的频率.完成比较后,Identity会重新生成cookie以更新时间戳.
