Search code examples
asp.net-mvc-4sessionauthenticationcookiesburp

How to invalidate a http session after logout

I am creating a web application in asp.net mvc which is using forms authentication to authenticate users. I am using a HTTP proxy tool "burp" to capture an authenticated users authenticated cookie. After that I logout from the application. Now I am using the captured authenticated cookie to send a request to my server and the server is treating the request as an authenticated request(even if logout for that user from my browser). Could any one let me know where I am going wrong in my log out code?

Below is my log out code of the application

  public virtual ActionResult LogOff()
    {
        FormsAuthentication.SignOut();
        Session.Abandon();

        // clear authentication cookie
        HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");
        cookie1.Expires = DateTime.Now.AddYears(-1);
        Response.Cookies.Add(cookie1);

        // clear session cookie 
        HttpCookie cookie2 = new HttpCookie("ASP.NET_SessionId", "");
        cookie2.Expires = DateTime.Now.AddYears(-1);
        Response.Cookies.Add(cookie2);

        HttpCookie cookie3 = new HttpCookie("__RequestVerificationToken", "");
        cookie3.Expires = DateTime.Now.AddYears(-1);
        Response.Cookies.Add(cookie3);

        HttpCookie cookie4 = new HttpCookie(".ASPXAUTH", "");
        cookie4.Expires = DateTime.Now.AddYears(-1);
        Response.Cookies.Add(cookie4);


        return RedirectToAction(MVC.Account.Login());
    }

Below is the screen shot of burp tool to send authenticated request which gives success response

Below is the screen shot of burp tool to send authenticated request which gives success response

Solution

  • After a lot of search I came to the result there is no such proper way to invalidate an authenticated cookie. The authenticated cookie ".ASPXAUTH"(the default name of authentication cookie) basically just contains the userName, when it was generated and the expiration details. It does not really tells if the user is really authenticated.

    If user logs out this cookie gets removed from the browser but if this cookie is kept somewhere captured it will still serve as an authenticated request.

    The only solution which I found was to add some extra bit of unique data with this cookie and store that data somewhere on server(likely database) and compare that unique data in each authentication request from the database. And when the user logs out clear that unique data from the database, this will ensure that if an authenticated request captured by some means hits the server after the user logs out does not get authenticated on the server.