You are not logged in.
Pages: 1
Hi Arnaud, a Pentester has tested our mvc Server !
He found this vulnerability:
He saved the Session Cookie on client Site. Logged out frrom Server (On Server CurrentSession.Finalize is called and client Cookie Removed)
But after this he used the saved Cookie to call MVC - Pages.
The Cookie is still valid.
Do you know a simple way to invalidate such cookies ?
We Create Session Cookies after Login-Funktion with CurrentSession.Initialize and check it with CurrentSession.CheckAndRetrieve
Thank you
Rad Studio 12.3 Athens
Offline
Yes Timeout is set to 240min
Rad Studio 12.3 Athens
Offline
Please try with tonight's code.
It should keep track of the finalized sessions, and reject them.
I also switched the cookie signature and encryption to AES-GCM-128 which is both very fast and cryptographically secure.
As far as I can tell, there is no advantage of using a JWT in respect to our TBinaryCookieGenerator now.
Offline
Hi Arnaud i testet it today an it seems to be secure now, could not use deletet Cookie any more.
Rad Studio 12.3 Athens
Offline
There was one thing, happened to me
I changed CookieName to "DIT Test" and later got error in Reverse Proxy:
Description
This violation occurs when HTTP cookies contain at least one of the following components:
- Quotation marks in the cookie name.
- A space in the cookie name.
- An equal sign (=) in the cookie name.
Note: A space between the cookie name and the equal sign (=), and between the equal sign (=) and cookie value is allowed.
- An equal sign (=) before the cookie name.
- A carriage return (hexadecimal value of 0xd) in the cookie name.
may be there should be a Check-Routine in SetCookieName throwing Exception if name does not match the rules für Cookie Names
Rad Studio 12.3 Athens
Offline
Should be OK with
https://github.com/synopse/mORMot2/commit/ef7be269c
Offline
Pages: 1