asp.net - How to track expired WIF fedauth cookies? -


i have interesting problem trying keep track of expired wif authentication sessions/cookies.

as bit of background: site mvc 3, uses windows identity foundation (wif) has trust adfs server sts. entire site protected ssl. sts has token expiry set 60 minutes.

when user signs out manually, call signout method on fedauth module:

federatedauthentication.wsfederationauthenticationmodule.signout(false);

this of course removes fedauth cookies, here's problem starts. if capture cookies fiddler, can re-present them site within expiry time , still treated logged in.

i realise being performed privileged position of browser having accepted fiddler proxy... customer worried auth cookies not being expired presents significant security risk. they're not convinced ssl protects site sufficiently, , if attacker execute mitm attack, use cookies after user thinks have logged out.

i have explained if vulnerable after log out, vulnerable during log in, don't care...

so have looked ways sure once user logs off, fedauth cookies associated logon session treated expired. wif handlers don't seem have built in mechanism tracking expired tokens, , have not found else related this.

i guess in fact wider problem -> how detect expired cookies in general? valid cookie valid cookie!

the obvious solution track cookies after logout somehow, i'd avoid custom code route if possible; noob, lot of security literature says avoid custom coding kind of session mechanics, wrong!

is aware of standard solutions in asp.net problem?

thanks in advance.

you don't without keeping server-side list of tokens revoked. why rely upon inherent expiration https prevent token being leaked/stolen.


Comments

Post a Comment

Popular posts from this blog

apache - Remove .php and add trailing slash in url using htaccess not loading css -

i have add following code htaccess file removing .php extension , add trailing slash urls. worked fine reduced page loading speed , css code not loading @ all. pages ugly. please help rewriteengine on rewritebase / ## hide .php extension snippet # externally redirect /dir/foo.php /dir/foo rewritecond %{the_request} ^[a-z]{3,}\s([^.]+)\.php [nc] rewriterule ^ %1/ [r,l] # add trailing slash rewritecond %{request_filename} !-f rewritecond %{request_uri} !/$ rewriterule . %{request_uri}/ [l,r=301] # internally forward /dir/foo /dir/foo.php rewritecond %{request_filename} !-d rewritecond %{request_filename}.php -f rewriterule ^(.*?)/?$ $1.php [l] we can rewrite urls using .htaccess files. before writing in .htaccess files need verify kind of server using. can check server adding a <?php phpinfo(); ?> in php page. ensure mod_rewrite module enabled in apache server. can identified checking phpinfo included page. common methods used url rewriting follows ...
Read more

javascript - jQuery show full size image on click -

pretty self explanatory not workking . i want display full image when user click on image... yes know there tons of plugins but i want keep simple. any idea ? css : .full { display: none; width: 500px; height: 500px; margin-left: 100px; margin-top: -300px; position: fixed; background-color: #f00; z-index: 6; } .thumbnail { width: 50px; height: 50px; } html: <img class="thumbnail" src="http://4.bp.blogspot.com/-uhbdp2esxng/txneptvi92i/aaaaaaaaaky/upfqis7zto0/s1600/rihanna-wallpaper.jpg"> jquery: $(document).ready(function() { $('.thumbnail').on('click', function() { var img = $('<img />',{src:this.src,'class':'full'}); $('.full').html(img).show(); console.log('done!'); }); }); try looking how jquery works. $(document).ready(function() { $('.thumbnail').on('click', function(...
Read more