I'm trying to prevent a valid authentication cookie replay attack on asp.net core application which is using default identity.
I have tried a few things but nothing seems to be working. Once the user is logs off from a session, I can see that I can still replay the authenticated request again using the old cookie.
Is there a way to prevent this?
Thanks
ASP.NET Core is not keeping track of sessions server-side. All session information is contained in the cookie itself (see this issue).
If you want to prevent replay attacks you need to keep track of session yourself. A convenient way to do so is to implement an ITicketStore (see SessionStore). Hint: make sure that your store survives an IIS reboot if you don't want your users to experience a logout.
Before doing so, of course you need to assess a replay-attack is a real danger to your setup. Quoting this article:
If you make sure your site is only ever served over HTTPS, and your cookies are set as "secure", "same site", and "HTTP only", then an attacker will not be able to obtain the cookie value unless they have managed to perform a man-in-the-middle (MitM) attack. And if they've done that, you've got much bigger problems.
And:
Another concern would be if their computer or browser is compromised by malicious code. But again, if that happens, they've got bigger problems to worry about.