After a pen test of our system, it was pointed out that when a user is logged out, that users session is still active, although the cookie is deleted. I have confirmed this by copying the .AspNet.ApplicationCookie value, and made a request to an otherwise restricted site with Postman. When debugging i can see that even after i abandon the session, the session persists with an ID.
This is my current LogOff method:
public ActionResult LogOff()
{
HttpContext.Response.Cache.SetAllowResponseInBrowserHistory(false);
HttpContext.Response.Cache.SetCacheability(HttpCacheability.NoCache);
AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
HttpContext.Session.Clear();
HttpContext.Session.Abandon();
HttpContext.Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
return RedirectToAction("Index", "Home");
}
I wonder if this is a bug in Identity or MVC or is it me that's missing something?
I am using Identity 2.2.1 with Entity Framework 6 and MVC 5
Identity does not use session, so if you do use, it'll be your responsibility to kill session.
However, when Identity does log out, cookie is expired. But the same cookie value can be used after to be logged in. To mitigate this you can update SecurityStamp on a user:
await userManager.UpdateSecurityStampAsync(userId);
and make sure you have SecurityStampValidator activated in Startup.Auth.cs
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
Provider = new CookieAuthenticationProvider
{
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(1),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager)),
},
// other stuff
});
However, be aware that updating security stamp will invalidate all user cookies in all browsers. So if user is logged-in in Chrome and IE, then logs out from Chrome, IE cookie will also be invalidated.