Prevent authentication bypass via response manipulation with ASP.NET Core Identity implementation

Question

Web application has asp.net core identity implementation, in security testing of our application vulnerability is found-authentication bypass via response manipulation.

For eg: User1 logs in into the system with valid user credentials, and the cookie for that user is copied and the User1 logs out. User1 tries to login with incorrect password ,intercepts the request and uses User1 valid cookie to login into the system and User1 is logged in even with incorrect password.

How to destroy the cookie and invalidate the session for asp.net core identity implementation?

Asp.net Core identity,.net 5.0,asp.net core mvc

Answer 1

You can use the SecurityStamp Property and the SecurityStampValidatorOptions.ValidationInterval Property to make the logout user's cookie invalid.

1.Register ValidationInterval in ConfigureServices

services.Configure<SecurityStampValidatorOptions>(options =>
            {
                options.ValidationInterval = TimeSpan.FromSeconds(1);
                
            });

2.Add userManager.UpdateSecurityStampAsync()in your Logout like below

 public async Task<IActionResult> Logout()
        {
            var userid = userManager.GetUserId(User);
            var user = await userManager.FindByIdAsync(userid);
            await userManager.UpdateSecurityStampAsync(user);
            await signInManager.SignOutAsync();
 
            return RedirectToAction("Index", "Home");
        }

Result: