DEVHIDE
Login Or Sign up

Token replays still possible even after implementing DefaultTokenReplayCache in WIF

1.1k Views Asked by At

I've been able to subclass DefaultTokenReplayCache and make it work in my MVC application. This correctly detects tokens that would be replayed from the IDP to the RP by Fiddler or by pressing the Back arrow and resubmitting.

My intent now is to prevent cached replays when the FedAuth cookie is present, and that session has already signed out.

For example:

DefaultTokenReplayCache correctly determines whenever this response is replayed:

POST http://127.0.0.1:2600/Account/SignIn HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E; MS-RTC EA 2)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Content-Length: 6679
Host: 127.0.0.1:2600
Pragma: no-cache

wa=wsignin1.0&wresult=%3Ct%3ARequest .....

However, if I sign out, the following session CAN be replayed

GET http://127.0.0.1:2600/ HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E; MS-RTC EA 2)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: 127.0.0.1:2600
Pragma: no-cache
Cookie: FedAuth=77u/PD94bWwgd......

Question

How can I ensure that WIF will no longer permit a particular FedAuth cookie once that session has been signed out?

wif windows-identity
Original Q&A
2

There are 2 best solutions below

1
On

How are you signing-out? You typically need to call FederatedAuthentication.WSFederationAuthenticationModule.SignOut

that will clear all FedAuth cookies. Notice that this will not clear any other cookies you might set in your app.

0
On

You need to add a tokenReplayDetection into the identityConfiguration element on the relying party.

<system.identityModel>
    <identityConfiguration ...>
        <tokenReplayDetection enabled="true"/>
        ...

-Atli

Related Questions in WIF

Related Questions in WINDOWS-IDENTITY

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.