Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • MP 7 posts 76 karma points
    Feb 02, 2024 @ 10:35
    MP
    0

    Umbraco member logout doesn't invalidate the cookie

    Hi,

    I'm trying to make sure that the .AspNetCore.Identity.Application cookie gets invalidated on Umbraco frontend member logout.

    I'm using IMemberSignInManager.SignOutAsync() to sign out a member on click of logout button. This method updates the security stamp which I could verify in the database as well. Also, I could verify that the security stamp is part of the user's identity claims. However, this is not invalidating the cookie. When I use the same cookie which got generated on login after I logout in a postman call to the application, I can still access the content which is accessible only to logged in users.

    Any help on this is greatly appreciated. Thanks!

  • Steve Morgan 1348 posts 4457 karma points c-trib
    Feb 05, 2024 @ 08:46
    Steve Morgan
    0

    After a pen test I added the following to go full nuclear on cookies on sign out - perhaps this is useful to you.

            // Clear-Site-Data: - recommend on pen test 
            // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data
            HttpContext.Response.Headers.Add("Clear-Site-Data", "\"cache\", \"cookies\", \"storage\", \"executionContexts\"");
    

    NOTE - this also boots any signed in users out of Umbraco, it also killed our cart cookie and sessions etc

  • MP 7 posts 76 karma points
    Feb 07, 2024 @ 03:51
    MP
    0

    Thanks for help. But my problem is slightly different. This solution is going to clear the cookies from the browser but doesn't invalidate the cookie on the server. What I'm looking for is

    Step 1: Login to Umbraco frontend

    Step 2: Copy the cookie from the browser when logged in

    Step 3: Hit the application with this cookie from Postman or any similar tool. This returns the user information (I've an endpoint which returns the user info based on cookie received. If the cookie is not valid, it returns anonymous user)

    Step 4: Logout of Umbraco frontend (this is currently clearing the cookie, so the user is not logged in to website on browser and it expects the credentials again)

    Step 5: Hit the application (the same endpoint used in step 3) with the same cookie that we got from step 2 using Postman or similar. I want the cookie to have been invalidated and this endpoint return me 'Anonymous user', however, it still returns me the user information as the cookie is still valid

    How can I make sure that the cookies is not valid anymore when used in step 5?

  • Ian McNeish 4 posts 74 karma points
    Mar 20, 2024 @ 11:46
    Ian McNeish
    0

    Did you ever get a solution for this?

    We received a 'low' issue regarding this on our pen test but the client wants it resolved.

  • MP 7 posts 76 karma points
    Mar 21, 2024 @ 03:30
    MP
    0

    No. Still looking for a solution.

  • Ian McNeish 4 posts 74 karma points
    Mar 21, 2024 @ 15:47
    Ian McNeish
    0

    I just rolled my own token store and added that a secondary layer of auth, worked pretty easily and persisted tokens to the database so I could clear out all of a users sessions on logout or password change.

Please Sign in or register to post replies

Write your reply to:

Draft