Security Stamping

Consider the following scenario:

  • A user logs on to website with device A and does not log off
  • Perhaps they lose the device e.g. a smart phone
  • The user then panics, logs on to device B (laptop) goes to the website and changes their password
  • The user would hope that device A no longer works with the website even if it has live session cookies on it as the password has changed

In fact the device will probably continue to work as the session cookies are live, and the cookies will extend with use indefinitely, i.e. if the person who found the phone keeps browsing the site the session will remain open.

Stopping this behaviour is possible via the SecurityStamp in OWIN authentication mechanisms. The SecurityStamp is a Guid which changes when a

  • User logs in
  • Due to a password change
  • An external account being added or removed

Therefore with every major change of security, a security stamp can be updated and then any issued cookies checked that they meet the security stamp. The SecurityStampValidator checks the cookies usually every few minutes (as configured).

This can be  added to your CookieAuthenticationProvider as below

  Provider = new CookieAuthenticationProvider

                {

                    // Enables the application to validate the security stamp when the user logs in.

                    // This is a security feature which is used when you change a password or add an external login to your account. 

                    OnValidateIdentity =

                        SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(TimeSpan.FromMinutes(3),

                            (manager, user) => user.GenerateUserIdentityAsync(manager))

                }

Major Gotcha: ASP.NET MVC OWIN User logged out after password change – Note this does mean if a password is changed by the user they need to log out and back in. The symptom is that a few minutes after the password is changing the user is logged out by the server. The network trace will show a request from the webserver to kill the authentication cookies. This caught me out.

Also for security do not allow a password to be changed without entering the old one, otherwise the person who finds the phone can change the password themselves and prevent the original owner from accessing the site.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s