In my last post (Session Fixation & Forms Authentication Token Termination in ASP.NET),
I talked about ways to mitigate two types of session related
vulnerabilities in an ASP.NET MVC 4 application. One of these
vulnerabilities is also present in many WCF web services. In one mode of
operation, WCF web services can authenticate users and issue forms
authentication cookies. Since this token contains an encrypted set of
values and resides only on the client-side, the server cannot choose to
invalidated that token and end a user’s authenticated session. This
allows attackers to continue using stolen tokens, even after the user
logs out.
Continue reading this article on the Security PS Blog: http://blog.securityps.com/2013/07/forms-authentication-token-termination.html
Tuesday, July 9, 2013
Subscribe to:
Posts (Atom)