问题
What is the "best practice" to prevent a valid cookie from being used by more than one client at a time in ASP.NET MVC?
In this scenario, we are using all the OWASP tricks.
- Strict HSTS: HTTPS/SSL on every page
- Cookies are listed as HTTPS-only
- Cookies are marked secure
- Cookies have a short expiration
- There is also code to prevent cross-site request forgery (XSRF) from altering values page to page.
That's all great and prevents users from changing values, but it doesn't prevent a bad actor from stealing the entire cookie and re-using it elsewhere while it is still valid ("cookie replay," or "session fixation," depending on who you ask). As far as I can tell, there is no standard .NET configuration or boilerplate to prevent this.
For example, User A logs in and their auth cookie is good for t minutes. Malware on that user's PC ignores the HTTP-only/secure setting on the cookie and is able to retrieve the actual stored cookie, sending it to our bad actor. The bad actor is then able use a cookie-editing tool to add it to their browser and connect to the site as User A, until the cookie expires or User A signs out (invalidating the session).
Ideally, can .NET be configured so that a session is invalidated if the cookie is found to be in use from two clients at the same time?
Similar items reviewed:
Oh, S.O. community, we know how much you love "duplicates."
- Asp.net - Using SSL to prevent cookie replay attack: SSL does not prevent cookie replay, only mid-transmission tampering.
- Prevent re-use of authentication cookie in ASP.NET: Specific to cookie use after user-logout; here, the user is still logged in while the bad actor has access.
- ASP.NET cookie replay fix without storing auth-token in server?: Specifically requests not storing tokens on the server, I won't rule that out as an answer
External fix suggestions:
- This page suggests setting a
boolvalue server-side when the user logs in. Wrong-- that would only prevent the bad actor from using the cookie after the intended user logs out. It does nothing to prevent the bad actor from poking around at the same time as the intended user. - This page on StackExchange takes the same approach, setting a session value. It suffers the same problem.
- Even Troy Hunt's oft-cited OWASP top 10 common security fixes helps you secure cookies, but doesn't demonstrate a way to prevent simultaneous use of a valid cookie.
回答1:
if your goal is to
prevent a bad actor from stealing the entire cookie and re-using it elsewhere while it is still valid
then the answer is no. there is no way.
The amount of information you get from a http request are pretty much the following:
- User's IP
- Headers (cookie, user agent ect)
- Request body
- Destination IP (your server's IP)
- URL
With the limited amount of information on hand, there is really no way you can distinguish between two users using the same cookie + browser + IP.
Its just as if two ppl printed the same message using the same printer and you are tasked to figure out which message was printed by whom.
The best you could do is to ask for password every time the user wants to perform any sensitive action and assign a one time token for it. (not user friendly)
Or you can make it a bit more friendly by making it required only if new IP does not match login IP. (not friendly to mobile user since their IP changes pretty much all the time)
回答2:
Ideally, can .NET be configured so that a session is invalidated if the cookie is found to be in use from two clients at the same time?
I am not sure you are aware just how ambiguous this question is-- specifically, this notion of "at the same time." Cookies are submitted with the HTTP request for each and every object. If you load a page, the cookie is sent with the request for that page, all of its style sheets, all of its scripts, and all of its images. So you certainly absolutely positively do NOT want to prevent a cookie from being used "at the same time."
I think you maybe are interested in binding a cookie to a particular client endpoint, e.g. the visible IP address of the browser. The answer to that is simple: embed the IP address in the cookie. Assuming you have made you cookie tamper-proof, the server just needs to check it at the same time it is validating the cookie.
For example, User A logs in and their auth cookie is good for t minutes. Malware on that user's PC....
Full stop. There is no security mechanism on Earth that will protect against malware on a legitimate user's machine, period. Other than anti-malware, of course.
来源:https://stackoverflow.com/questions/52012031/preventing-cookie-replay-cookie-use-by-more-than-one-client