Is my logout functionality broke in my C# MVC application?

Question

0.00/5 (No votes)

See more:

Hi there

So I have an open bug bounty program and a member has noticed what you can do with my application is:
-Log into the application
-Using Chrome Cookie addon, copy the cookies
-Clear the cookies
-Logout of the application
-Now paste the Cookies copied using the addon again
-Navigate to the Manage/Account part
..and voila you are back in the application!?

I'm not a security expert but surely once logout is called we shouldn't be able to do this. This application was created using the standard project you get from Microsoft with the builtin features like "Account" "Manage" etc.

I have an expiry on the Cookie now set to 5mins so this helps but stills seems like you shouldn't be able to do this unless I've misunderstood.

The logout function is fairly simple:

C#

// POST: /Account/LogOff
[Authorize]
public ActionResult LogOut()
{
AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
return RedirectToAction("Index", "Home");
}

Other details

C# MVC
Visual Studio 2019
.Net 4.7.2

Anyone able to explain if this is a bug or my lack of understanding, thanks in advance

What I have tried:

Thus far I not really tried much apart from searching the net, yet haven't found a decent solution.

Posted 8-Sep-20 10:35am

Member 14933478

Updated 8-Sep-20 23:30pm

Add a Solution

2 solutions

Solution 1

microsoft Authentication: I cannot delete my site cookies to force reentering fresh credentials upon logging back in. | The ASP.NET Forums[^]

Posted 8-Sep-20 17:27pm

Gerry Schmitz

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard Deeming · Accepted Answer · 2020-09-08T22:55:00

This is known as a cookie replay attack. There are several suggestions for mitigation in this StackOverflow thread:
asp.net - Form Authentication - Cookie replay attack - protection - Stack Overflow[^]

But if you make sure your site is only ever served over HTTPS, and make sure you cookies are set as "secure", "same site", and "HTTP only", then an attacker will not be able to obtain the cookie value unless they have managed to perform a man-in-the-middle (MitM) attack. And if they've done that, you've got much bigger problems!

Using HTTP cookies - HTTP | MDN[^]

Note: A user can still copy their own cookie, and replay it to be logged back in as themselves. But that's not really a security vulnerability. The only concern would be if their computer or browser is compromised by malicious code. But again, if that happens, they've got bigger problems to worry about.