Cookie Hijack #246
Comments
|
Can't you do that with any web application that issues cookies for authentication? |
|
Doesn't facebook uses cookie authentication? I couldn't do it there. Isn't this a security concern? |
|
My point is that you could do the same for any other website that uses cookies. That's how we do authentication. IdentityServer works the same way. |
|
I know this issue is quite old, but it's still open, and I'm having the exact same problem. Our application (which consists of multiple server side applications (a Drupal portal and two separate .NET MVC applications) and IdentityServer3). We have recently had a Pentest done for this application set, and one of the issues is exactly the one the issue starter describes. The comments of the tester were: Expected Result: Actual Result: How to handle this? |
|
If you're using cookies, then where did you get it from? An external provider? |
|
No, we're using local authentication in an implementation of the IUserService. The service authenticates against a local user database. Is this enough background information, or do you need more? |
|
Well, IdMgr is not the same as IdSvr. I guess what I need to know -- is the user logging out of IdMgr or somewhere else? |
|
We don't use IdMgr (yet). We are using Drupal with a custom module to replace the standard authentication and session management by OAuth2/OpenID Connect using the IdentityServer3. When a user clicks on 'logout' in Drupal, he gets redirected to the end_session endpoint. In the IdSrv log, I can see the logout is completely successful. Also, the Drupal session is destroyed. In Cookie Manager, I can see that 3 of the 4 IdSrv cookies are deleted. 1 remains, the idsrsv.xsrf cookie. When I restore the IdSrv cookies (using the Firefox Cookie Manager plugin), and request a Drupal page, I get redirected to the authorize endpoint, which is successful:
The user gets redirected to Drupal. |
Yep, my apologies. I had misread the repo we were on (I get switched around a lot). AuthorizationServer (this repo that you're asking about) relies upon external authentication using a SSO provider. When the user logs out of the SSO provider then you need to configure the provider such that it contacts this app to cleanup the cookie. |
|
Thanks, Brock. Do you mean that the SSO provider should call the end_session_endpoint? I'm asking this, because we are already doing this:
I can see in the IdSrv log that de cookies are already cleaned (which is also reflected by the Cookie Manager): Maybe I just don't understand it completely, but isn't the whole point that the cookies are in fact destroyed, but when the user restores the saved cookies, the cookie is still treated as valid, and the user is logged in again? |
|
Also as a side note, I see a request to "report" in there -- I think you might have some CSP issues there. |
|
So for the issue, I'm just not sure on what's happening in your environment. Also, I'm not clear on why you use AuthorizationServer and IdentityServer3 -- IdSvr3 includes the features of AuthorizationServer. |
|
Actually, I'm not using or intending to use AuthorizationServer, as far as I know. It's not listed in my NuGet packages. What is the indicator for you to say I'm using AuthorizationServer? (As a side note: I'll look into the CSP stuff.. Thanks for pointing it out.) |
|
Because you're posting in the "IdentityModel/AuthorizationServer" issue tracker (look above). |
|
Oooops, my mistake.. I'm sorry! Actually, I'm only using IdSrv 3. |
|
Open an issue there, please. |
I've notice this behavior:
- After Login on STS I save the idsrv cookie.
- Log out the application
- Import the cookie to the browser
- Access the application and I'm logged.
Is this the expected behavior, or am I missing something? Doesn't this expose the applications to cookie hijacking? How to mitigate this.
thks
The text was updated successfully, but these errors were encountered: