1

We are developing a MVC application using .Net identity. We have created register and login systems. Now we are trying to add some security.

My friend have logged in to application and session cookie have been created. With an extension, i have created same cookie in my machine and i have successfully logged in. How can we prevent this?

We have tried adding [ValidateAntiForgeryToken] and @HTML.AntiForgeryToken() but not pages are throwing 

The required anti-forgery form field "__RequestVerificationToken" is not present.

Exception. We think we are missing something. What is the right way to do this?

Sefa
  • 8,865
  • 10
  • 51
  • 82

1 Answers1

4

I don't think this token does what you're trying to use it for. According to this StackOverflow question's accepted answer, it's actually for preventing cross-site request forgeries, not for preventing hijacking of browser sessions.

Your main question appears to be:

With an extension, i have created same cookie in my machine and i have successfully logged in. How can we prevent this?

What you need to bear in mind is that you have been able to get hold of a security cookie from another machine. In the "real world", that security cookie would be transmitted over a secure channel (such as https), such that one user should have no way of getting at another user's cookie. If a user "a" managed to get hold of the cookie from user "b"'s computer without user "b" performing any deliberate action, then user "b"'s computer is already terminally compromised.

Although I commend you for trying to work around this, if a user were capable of getting hold of another user's cookie there's a fairly good chance they'd also be able to get hold of pretty much anything else too. You could check that the browser identification string always matches, or that the IP address the requests come from doesn't change, but both checks are possible to circumvent if someone is determined enough.

Community
  • 1
  • 1
Adrian Wragg
  • 7,311
  • 3
  • 26
  • 50