Hello,
I've encountered a security issue with ABP, and I'm wondering if there's a simple way to fix this. In a nutshell, I'm able to call API methods after logout by re-using the cookie. During a security audit, this was identified as a critical security issue by a 3rd party firm.
Here are the steps to reproduce the problem:
- Start fiddler
- Login to the aspnetzero application
- Logout of the aspnetzero application
- In the Fiddler window, select a previous service call such as "GetCurrentLoginInformations"
- Click "Replay" in Fiddler (which includes the cookie)
- Notice that the replayed service was successful, ie. success":true,"result":{"user":{"name":"admin","surname":"admin","userName":"admin","emailAddress":"[email protected]","profilePictureId":null,"id":2},"tenant":{"tenancyName":"Default","name":"GCGC","editionDisplayName":"Standard","id":1}},"error":null,"unAuthorizedRequest":false}
The expected result is that the service call would fail, since the user has logged out.
Is there a built-in way of preventing this behaviour?
Thanks,
Dave
3 Answer(s)
-
0
Hi Dave,
Is your Logout action in AccountController like this ?
public async Task<ActionResult> Logout() { await _signInManager.SignOutAllAsync(); return RedirectToAction("Login"); }One of the previous versions was using a buggy logout action.
-
0
Hello,
I also have this problem.
This is my Logout method:
public virtual ActionResult Logout() { _authenticationManager.SignOutAll(); return RedirectToAction("Login"); }Can you tell me how can I fix this issue?
Thanks,
Meysam
-
0
is it possible for you to update ABP and ZERO to the latest. As far as I remember there was a issue as you stated but it was fixed.
