Sign out user but server side not clear the authenticate session

GTEK IT DEV Team asked on August 27, 2019 11:55

I have a page with security setting is Requires authentication = Yes

But after i used following code snippet to sign out user

AuthenticationHelper.SignOut();

HttpContext.Current.Response.Cache.SetNoStore();

And after that i user fiddler to to recall the request to the url of the page have require authentication with old auth cookie. The page response 200 and all data as a logged in user can see. What wrong in this situation. What am i missing?

Thanks !.

Recent Answers

Peter Mogilnitski answered on August 27, 2019 15:58

It probably has to do with the cache try adding as well

//Used for disabling page caching
HttpContext.Current.Response.Cache.SetExpires(DateTime.UtcNow.AddDays(-1));
HttpContext.Current.Response.Cache.SetValidUntilExpires(false);

HttpContext.Current.Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches);
HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.NoCache);
HttpContext.Current.Response.Cache.SetNoStore();

and try Session.Clear();
and see if it changes the outcome

0 votesVote for this answer Mark as a Correct answer

GTEK IT DEV Team answered on August 27, 2019 21:03 (last edited on August 27, 2019 21:04)

The code above doesn't worked with me.

As i read in this article https://www.vanstechelman.eu/content/cookie-replay-attacks-in-aspnet-when-using-forms-authentication. That is a weakness of asp.net form authentication. Can i use use other authentication method in kentico to resolve this problem. If no, does kentico have any other solution for this issue?

0 votesVote for this answer Mark as a Correct answer

Juraj Ondrus answered on August 28, 2019 08:31

As you figured out it is a limitation of ASP.NET forms authentication and there is almost nothing to do to invalidate other user sessions. The problem in this case is exacerbated due to the way the authentication ticket is created and maintained. When such a (APS.NET authentication) ticket is created it is only maintained in the cookie. No record or status about this ticket is maintained on the server side including information about expiry after a timeout. All such information is encoded into the ticket. Hence, so long as the user’s ticket is valid i.e. the timeout has not expired the ticket can be stolen and misused. Even restarting Internet Information Services or for that matter the computer can not invalidate the ticket. This issue discovered by Foundstone and reported to Microsoft, has been acknowledged and published by Microsoft in KB Article 900111.

As Microsoft stated if these requirements are met, you can protect your authentication token as much as possible:

  • Use SSL by configuring the Web application in Microsoft Internet Information Services. This ensures the forms authentication feature will never issue a cookie over a non-SSL connection.
  • Enforce TTL and use absolute expiration instead of sliding expiration.
  • Use HttpOnly cookies to ensure that cookies cannot be accessed through client script, reducing the chances of replay attacks.

In the next major version we would like to change default ASP.NET Forms authentication to ASP.NET Identity (Owin) which offers some techniques how to solve the session scenarios.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.