Forums (Obsolete)


Member	lukek - 6/6/2013 11:32:01 PM CMSCookie Invalidated after logout Hi, I'm wondering if there is a way to invalidate the CMSCookie that Kentico sets after the user logs out on the server side? Currently it is possible to reuse a session id (session replay vulnerability).

Kentico Customer Success

kentico_martind2 - 6/10/2013 1:13:36 AM

RE:CMSCookie Invalidated after logout

Hello,

For this purpose you can use the Global events, especially CMSSessionEvents - End where you can handle the cookie invalidation. For some inspiration, please take a look at the following thread: Remove cookie on log-out.

But from my point of view working with Session ID is a good way.

Best regards,
Martin Danko

Member

lukek - 6/10/2013 3:06:17 AM

RE:CMSCookie Invalidated after logout

Hi Martin,

Thank you for your reply.

I think maybe I was not being so clear. Your link shows me how to remove a cookie from the users machine which as I am currently aware kentico already does this for me (the CMSCookie), however the issue is that the CMSCookie value will still be valid even after the user has logged out. I'll provide an example.

- Administrator logs into Kentico. The CMSCookie is now created.
- Administrator wants to finish his session so he logs out. CMSCookie is now removed from the clients machine but the value is not invalidated in the CMS.
- It is possible for a malicious person / software to have gotten the value of CMSCookie
- The malicious person creates a cookie for the site domain named CMSCookie with the administrators value and he will have access to everything that user had access to.

Are you saying I will need to write my own scripts in the CMSSessionEvents - end and invalidate it myself?


Kentico Customer Success	kentico_martind2 - 6/10/2013 7:41:16 AM RE:CMSCookie Invalidated after logout Hi, That's not true because the cookie is related to session. So if the session is ended, the cookie is not valid anymore. From my point this is one of basic security protections. So having just a cookie is not enough to access any account. Best regards, Martin Danko

Member

lukek - 6/10/2013 7:18:35 PM

RE:CMSCookie Invalidated after logout

Hi Martin,

I agree this is one of the basic security problems and having just a cookie shouldn't be enough to access an account but as it stands it currently is.

Firstly I need to make a correction to my original post. CMSCookie looks like it was added by us in the webconfig in replace of the current cookie .ASPXFORMSAUTH which I just noticed this morning by looking through our version control (Judging by the commit it was to change the timeout but this is irrelevant) however this happens even with the default settings.

I created an example site using the kentico installer to test this, the website template I used was the community starter site Kentico 7.0 (I have also tested with some of our other sites at various hotfix's).

- Log into site as Administrator (I'm using chrome)
- Using chromes inspector tool go to Resources > Cookies > (domain name) and look for .ASPXFORMSAUTH cookie. Copy its Value
- Sign out of the administrator (at this stage I would expect the cookies value to become invalid, never again be able to be used)
- Close Chrome
- Open FireFox (with firebug installed) and navigate to the site home page
- Go to Firebug and Navigate to Cookies
- Create a cookie titled .ASPXFORMSAUTH with the value that we copied before. Make sure you tick Session and HTTP Only.
- Reload the page and you will see that you are logged in as that user

I come across this because a site we built had to go through a security assessment and this is what came back. (minus domain name and paths for our own security)

Authenticated Session Replay Vulnerability
Finding Details
The [sitename] utilises the “CMSCookie” (note we changed this back to the original cookie) value to track the identity of a user.

However, EWA testing showed that the Session ID was not properly invalidated at the server
side after the user logout of the application and can still be replayed to ‘resurrect’ the session
of a legitimate user and impersonate that user.

EWA verified the issue by capturing the Session ID of a user before logging out. After the user
logged out of the portal EWA manually inserted the captured Session ID into the browser
(session replay) and browse to a restricted page (e.g. [secure path]) to gain access as
the user that had logged out. The replay was successful and EWA was logged back into the
application as that user.

Impact Details
A successful attack will allow the attacker to have the same level of access privilege as the
captured user. If the captured user is an administrator the attacker will have the same
administrative access to the application.

It should also be noted that with the lack of a secure protocol (e.g. HTTPS) the risk of an
attacker capturing a Session ID is dramatically increased.

Recommendation
[site name] should ensure that after the user has logged out of the portal the
“CMSCookie” Session ID is not only cleared from the browser but is also invalidated on the
server as well.

After my own testing I was able to replicate this, even on the default install.

Kentico Support

kentico_jurajo - 6/17/2013 1:30:55 AM

RE:CMSCookie Invalidated after logout

Hi,
Hi,

You can try doing this on some other .Net application or your custom one. This is how .NET works - it checks the validity of the cookie and not if the session is on the server or not. You can try using this key in web.config file:

<add key="CMSUseSessionCookies" value="true"/>

Anyway, if you want to ensure this, you will need to have on the server a place, where you will store valid cookies and check their value with the cookie that is requesting logon - so basically pair this information. This is a .Net forms authentication thing.

Best regards,
Juraj Ondrus