ASP.NET Core MVC - cookie authentication: can a malicious user edit their cookie to give themselves more permissions?
TL;DR Can a malicious user modify their cookie so they have claims they should not, or is the cookie string encrypted or protected in some way?
I've implemented cookie authentication in my ASP.NET Core 6.0 MVC application.
Program.cs
builder.Services
.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(options =>
{
options.ExpireTimeSpan = TimeSpan.FromMinutes(60);
options.SlidingExpiration = true;
options.AccessDeniedPath = "/Forbidden/";
options.Cookie.Name = "IANSW_Session";
options.Cookie.HttpOnly = true;
});
In my login controller the SignInAsync method is called like this:
var authProperties = new AuthenticationProperties();
var claims = await _claimsService.GetClaimsForUsername(userResult.Username);
var claimsIdentity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
await HttpContext.SignInAsync(
CookieAuthenticationDefaults.AuthenticationScheme,
new ClaimsPrincipal(claimsIdentity),
authProperties);
Now, one of these claims will be a CanEditPosts claim. The 'EditPost' action looks something like this:
[Authorize("CanEditPosts")]
public async Task<IActionResult> EditPost(int postId)
{
if (!User.Identity.IsAuthenticated) return Json("Error");
var userPosts = _userPostService.GetAllUserPostsIDs(User.Identity.Name);
if (userPosts.Contains(postId))
{
// User is trying to edit one of their own posts
}
// etc...
}
My question: is it possible for a user to edit their own cookie to give themselves the CanEditPosts claim, or perhaps change their Name in the cookie so the code thinks someone else's posts belongs to them?
I can see in my browsers dev tools the cookie looks like this, but I have no idea if this is encrypted or protected in some other way.
From microsoft documentation:
SignInAsynccreates an encrypted cookie and adds it to the current response.
ASP.NET Core's Data Protection system is used for encryption.
- MVC ASP.NET Core Show detailed error for staging environment
- EF Core CRUD Scaffold, show primary key in view?
- How to read journal in Linux
- Multiple many-to-many and multiple one-to-one relationships in the same entities
- Username is already taken when actually it is not ASP.NET Core
- How does the Form Tag Helper determine the rendered form action?
- Return url functionality
- Get application virtual base path in aspnet core
- How to prevent controllers from loading in ASP.NET Core 6 MVC
- How to I properly implement C# classes using ASP.NET Core MVC?
- The edit method probably does not communicate with DB, the edit will not be displayed/visible on the Card View | ASP.NET Core
- How to run stored procedures in Entity Framework Core?
- Why is Razor Pages the recommended approach to create a Web UI in Asp.net Core?
- Publish to IIS, setting Environment Variable
- How to indicate a method in a controller is not an action method?
- Font awesome icons not showing up in ASP.NET CORE MVC Project
- .Net 8: Cannot authenticate user with "Individual Accounts Auth" template
- Routing in ASP.NET Core MVC with controllers and views
- Override redirect URL in AddMicrosoftAccount() identity OAuth for ASP.NET Core web app
- ASP.NET Core 8 MVC: Action can't have named route value other than id
- (ERROR 404) Can't find this page using @addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers
- Post form to controller in ASP.NET Core MVC not working
- How to correctly set up a razor page to have access to data in code-behind
- Unable to resolve service for type while attempting to activate
- Manual controller registration in ASP.NET Core dependency injection
- ASP.NET Core 5 WebAPI - Azure AD - Call Graph API Using Azure Ad Access Token
- The name `addtaghelper` does not exist in the current context
- Could not load type when using Microsoft.AspNetCore.Mvc.ViewFeatures
- How to remove computer and process names and process ids from syslog
- ASP.Net Core 2.0 MVC website Styles and content disappear when opening Bootstrap Modal Dialog