Menu
In ASP.NET MVC5 projects and when using Individual User Accounts, OWIN uses a cookie to save the authentication related information. By default the cookie is set to expire when browser session ends or to 14 days from the last log in, when the user select the "Remember Me" option.
So, as Microsoft configures the MVC5 project template, by default, if the cookie is present in the browser, and it is not expired, the user will be "logged in" automatically and without authenticating the user in the business layer. With the default configuration: 14 days and sliding expiration, a user that choose the "remember me" and use the site at least once each 14 days will stay always logged in.
So with this configuration, there can be a security problem when we remove an existing user account or we change the password. The user will be able to enter to the site and he won't be asked for a new user/password.
I have modified the configuration in Startup.Auth.cs file to minimize the problem disabling the sliding expiration and reducing the expiration time span, but this do not solve the problem:
public partial class Startup
{
public void ConfigureAuth(IAppBuilder app)
{
app.use.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/LoginAlert"),
ExpireTimeSpan = new TimeSpan(2, 0, 0, 0),
SlidingExpiration = false
});
...
}
}
Is there any standard or recommended way in MVC5/OWIN to ensure that the user account still exists, the roles have no changed or the password has no changed from last login in that browser? Also, I would like to minimize the number of times we go to the database.
255
In the next version there will be something called the SecurityStampValidator which is used in conjunction with the CookieAuthenticationProvider to protect against this.
166
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
