Logout Broken in ASP.net core web application

[wsrinivaswcc]

Hi Guys

We have a situation with our Application Authorisation/Authentication

User logs in ASP.net core web application
Copies the login application cookie
User logs out of the ASP.net core web application
Goes to a software like Fiddler, browses an application page with the Logged in application cookie,
Problem is application doesn’t recognise that the user has logged out, and provides sensitive information .

[blowdart]

If someone can steal your cookie that means they're running software on your machine, and you have bigger problems like them watching for your typing in your username and password, which means invalidating cookies won't be useful as they can just login again.

If you're worried about the cookie being stolen across then network then make sure you're only running on HTTPS.

[saciervo]

Modify your logout process to not just deleting the cookie, but also ensure you invalidate the user session. Of course you then also need to check for a valid user session when processing a request with a valid cookie. If the session is not valid, force the user to re-authenticate..

[blowdart]

Authentication is not linked to session. If you do believe that you still need to protect against malware on a user's machine you can update the identity security stamp, assuming you are using identity. That will invalidate cookies once checked (which by default is every 20 minutes). However if your users are using multiple devices it will log them out everywhere.

[Tratcher]

Identity does have support for this via the sign-out-everywhere feature that clears the security stamp. Cookie auth re-validates the security stamp, but only every 5 minutes(?).

[blowdart]

We're closing this issue as the behaviour discussed seems to be by design.

[blowdart]

We're closing this issue as the behaviour discussed seems to be by design.