I have a ASP.Net application in my login page I call
FormsAuthentication.SignOut
Session.Abandon()
Session.Clear()
however the Appscan is taking the ASPXAUTH cookie value then after logout is able to re-inject the cookie value to gain access to protected pages.
Microsoft has acknowledged a problem but only offers advice not a fix - http://support.microsoft.com/kb/900111
Can someone provide examples how to fix this issue
One option is to have a UserSession table and insert a record into this table when the user logs in. When you logout either delete the entry or mark it invalid. On the secure pages, verify that a UserSession exists for the logged in user and redirect to a login page if it does not.
set a session value on login, clear it on log out and check it on each access to a secure page. The session value is not sent to the client and as such the client/attacker can not manipulate it.
walkthrough without session value cleared on exit : user visits login page - generates viewstate man-in-the-middle-hacker collects viewstate
user submits login form - generates auth cookies man-in-the-middle-hacker collects auth cookies
user logs out - server clears users cookies man-in-the-middle-hacker continues to use previous credentials completely unhindered game over
walkthrough wit session value cleared on exit : user visits login page - generates viewstate man-in-the-middle-hacker collects viewstate
user submits login form - generates auth cookies man-in-the-middle-hacker collects auth cookies
user logs out - server clears users cookies and sets its internal session flag value to null man-in-the-middle-hacker continues to use previous credentials but because the session he is working with now has the value null server redirects to login page. win!
In my webpages I have references to js and images as such: "../../Content/Images/"Filename" In my code if I reference a file as above, it doesnt work so i have to write: "c:/miscfiles/"filename" 1-...
I m the only developer in my company, and am getting along well as an autodidact, but I know I m missing out on the education one gets from working with and having code reviewed by more senior devs. ...
Heres the problem, In Masterpage, the google analytics code were pasted before the end of body tag. In ASPX page, I need to generate a script (google addItem tracker) using codebehind ClientScript ...
I m looking for best practices here. Sorry. I know it s subjective, but there are a lot of smart people here, so there ought to be some "very good" ways of doing this. I have a custom object called ...
I am implementing Transaction using TransactionScope with the help this MSDN article http://msdn.microsoft.com/en-us/library/system.transactions.transactionscope.aspx I just want to confirm that is ...
i have the following base controller... public class BaseController : Controller { protected override void Initialize(System.Web.Routing.RequestContext requestContext) { if (...
For what it is necessary Microsoft.Contracts namespace in asp.net? I mean, in what cases I could write using Microsoft.Contracts;?
I d like to add a simple separator line in an aspx web form. Does anyone know how? It sounds easy enough, but still I can t manage to find how to do it.. 10x!