authentication - Restrict Auth & Session Cookies to a Subdomain in ASP.NET MVC5 -


i have multi-tenanted application several clients, distinguished subdomain:

client1.mydomain.com client2.mydomain.com etc 

i'm using forms authentication , asp.net auth & session cookies on client set subdomain, e.g. client1.mydomain.com. means if browse client2.mydomain.com i'm not logged in , browser doesn't post client1 cookies. should be.

however has been picked our security testing can take cookie values client1 , use values create cookies client2 (we've done in firebug). asp.net accepts these cookies , thinks you're authorised on client2.

how can configure asp.net doesn't happen?

the forms element in web.config allows set domain can't use i've multi-tenanted app. i'm setting cookie with

 formsauthentication.setauthcookie(username, false); 

but don't see why limit subdomain.

you should add domain name user data of cookie. have switch cookie api:

formsauthenticationticket ticket = new formsauthenticationticket(    ... other parameters ..., domain );  httpcookie cookie = new httpcookie( formsauthentication.formscookiename );  cookie.value = formsauthentication.encrypt( ticket );  response.setcookie( cookie ); 

then, in global application class have event handler fires after identity established request. in handler, verify domain name in cookie equal domain of current request:

public void application_postauthorizerequest( object sender, eventargs e ) {     httpapplication app = sender httpapplication;     httpcontext ctx = app.context;      if ( ctx.user.identity.isauthenticated )     {         // current domain         string currentdomain = ctx.request.url.... // domain          // domain cookie         formsidentity id = (formsidentity)ctx.user.identity;         formsauthenticationticket ticket = id.ticket;          string cookiedomain = ticket.userdata;          if ( currentdomain != cookiedomain )            throw new exception( "break execution of current request" );          ... 

this check validate if cookie issued current domain or rather tries reuse cookies between different domains.


Comments

Popular posts from this blog

css - SVG using textPath a symbol not rendering in Firefox -

Java 8 + Maven Javadoc plugin: Error fetching URL -

datatable - Matlab struct computations -