ASP.NET Core MVC - cookie authentication: can a malicious user edit their cookie to give themselves more permissions?
TL;DR Can a malicious user modify their cookie so they have claims they should not, or is the cookie string encrypted or protected in some way?
I've implemented cookie authentication in my ASP.NET Core 6.0 MVC application.
Program.cs
builder.Services
.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(options =>
{
options.ExpireTimeSpan = TimeSpan.FromMinutes(60);
options.SlidingExpiration = true;
options.AccessDeniedPath = "/Forbidden/";
options.Cookie.Name = "IANSW_Session";
options.Cookie.HttpOnly = true;
});
In my login controller the SignInAsync method is called like this:
var authProperties = new AuthenticationProperties();
var claims = await _claimsService.GetClaimsForUsername(userResult.Username);
var claimsIdentity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
await HttpContext.SignInAsync(
CookieAuthenticationDefaults.AuthenticationScheme,
new ClaimsPrincipal(claimsIdentity),
authProperties);
Now, one of these claims will be a CanEditPosts claim. The 'EditPost' action looks something like this:
[Authorize("CanEditPosts")]
public async Task<IActionResult> EditPost(int postId)
{
if (!User.Identity.IsAuthenticated) return Json("Error");
var userPosts = _userPostService.GetAllUserPostsIDs(User.Identity.Name);
if (userPosts.Contains(postId))
{
// User is trying to edit one of their own posts
}
// etc...
}
My question: is it possible for a user to edit their own cookie to give themselves the CanEditPosts claim, or perhaps change their Name in the cookie so the code thinks someone else's posts belongs to them?
I can see in my browsers dev tools the cookie looks like this, but I have no idea if this is encrypted or protected in some other way.
From microsoft documentation:
SignInAsynccreates an encrypted cookie and adds it to the current response.
ASP.NET Core's Data Protection system is used for encryption.
- I get Error when I call get API with certificate
- InvalidCastException: Unable to cast object of type 'System.Linq.OrderedEnumerable to type 'System.Collections.Generic.List
- Resolving instances with ASP.NET Core DI from within ConfigureServices
- How to prevent a clear data upon clicking new add address using button in ASP.Net Core
- Can I generate script of a migration with EF code first and .net core
- Why do I get the SpecialityName as null here?
- When using services.AddHttpClient, where is the HttpClient created?
- AspNetCore 2.0 MVC / 'model' must appear at the start line
- How to run stored procedures in Entity Framework Core?
- ASP.NET Core 8.0 MVC : best practice for dynamically created controls from SQL
- How can I check for a response cookie in Asp.net Core MVC (aka Asp.Net 5 RC1)?
- Can WebOptimizer pipeline be created in a separate file?
- Is it possible to execute a ViewComponent inside a controller and store the HTML as a string
- .NET Core, Invalid ModelState on AllowNull Navigational Properties on Simple Product & Categories Model
- ASP.NET Core 6 MVC - access a view (.cshtml) page from a different class library project
- Issue with assessing data in blob storage using OAuth tokens from a dotnet app
- How to automatically populate CreatedDate and ModifiedDate?
- Get service from WebApplicationFactory<T> in ASP.NET Core integration tests
- ASP.NET Core 8.0 MVC : encoding issue in js files
- Yarp forwarding settings to dynamically forward
- How to remove registration completely in ASP.NET Core 8.0 with Entity Framework Core?
- Threading MVC 6 .net 5
- How to add ModelStateInvalidFilter as a global filter?
- How to apply Serilog for asp.net core mvc
- How can I make it so the selectList in the controller returns only one choice to be displayed?
- ASP.NET Core 8 OpenID Connect - SUB claim missing on User.Identity
- Include ONLY .xml file of SPECIFIC nuget package in a different folder
- ASP.NET Core MVC : return view and then redirect to another one
- Ajax call for downloading data in excel is not working
- ASP.NET Core 8 MVC model validation - [Required] vs nullable type indicator