authentication - Restrict Auth & Session Cookies to a Subdomain in ASP.NET MVC5 -
i have multi-tenanted application several clients, distinguished subdomain:
client1.mydomain.com client2.mydomain.com etc
i'm using forms authentication , asp.net auth & session cookies on client set subdomain, e.g. client1.mydomain.com. means if browse client2.mydomain.com i'm not logged in , browser doesn't post client1 cookies. should be.
however has been picked our security testing can take cookie values client1 , use values create cookies client2 (we've done in firebug). asp.net accepts these cookies , thinks you're authorised on client2.
how can configure asp.net doesn't happen?
the forms element in web.config allows set domain can't use i've multi-tenanted app. i'm setting cookie with
formsauthentication.setauthcookie(username, false);
but don't see why limit subdomain.
you should add domain name user data of cookie. have switch cookie api:
formsauthenticationticket ticket = new formsauthenticationticket( ... other parameters ..., domain ); httpcookie cookie = new httpcookie( formsauthentication.formscookiename ); cookie.value = formsauthentication.encrypt( ticket ); response.setcookie( cookie );
then, in global application class have event handler fires after identity established request. in handler, verify domain name in cookie equal domain of current request:
public void application_postauthorizerequest( object sender, eventargs e ) { httpapplication app = sender httpapplication; httpcontext ctx = app.context; if ( ctx.user.identity.isauthenticated ) { // current domain string currentdomain = ctx.request.url.... // domain // domain cookie formsidentity id = (formsidentity)ctx.user.identity; formsauthenticationticket ticket = id.ticket; string cookiedomain = ticket.userdata; if ( currentdomain != cookiedomain ) throw new exception( "break execution of current request" ); ...
this check validate if cookie issued current domain or rather tries reuse cookies between different domains.
Comments
Post a Comment