I have MVC application hosted Azure and secured by Azure AD. We use OWIN middle ware cookie authentication and openidconnect approach for authentication by Azure AD. We have below observation which appears to be security flaw.
1) Access application in chrome browser. After Azure AD authentication redirects , application is loaded fine. By now , there will be a authentication cookie created by OWIN with name ".AspNet.Cookies" which is in memory cookie , meaning the cookie will be lost once browser is closed.
2) Now copy the cookie ".AspNet.Cookies" and close the browser. In memory cookie is deleted. However if we initiate a request ( proxy request using fiddler) to application by attaching the cookie , the server accepts the cookie and application is loaded.
What this implying is that , cookie generated from one browser session could be reused with another browser session.
This looks like a security flaw. is there a way to fix the problem. Or we are missing any settings on Azure AD ?
Any inputs are highly appreciated.
Thanks, Madhu