WsFederation Cookie Replay Countermeasures

May 30, 2014 at 12:48 AM
Suppose I am a user and successfully logged in using WsFederation Middleware's help. Upon successful login, cookie .AspNet.Federation is set. Now having this cookie (virus that intercepts traffic on my machine) malicious code can successfully replay my identity (something like fiddler gives me ability to see the cookie, get its value, and then I can use WebClient, set cookie and pretend I am a user). What are some countermeasures to protect from this if any?
May 30, 2014 at 4:14 PM
We recommend sticking to SSL connections to prevent 3rd parties from compromising your cookies (e.g. proxies, fiddler, etc.).

As for a compromised or malicious client, there's not much the server can do about it. Here are a few general ideas:
  • Granular credentials, make sure users only have access to what the need
  • Require credential escalation (2 factor, re-login, etc.) for admin functions
  • Rate limit, or flag accounts with suspicious behavior and force re-validation (or just disable them).
  • Katana's cookies have their timeout embedded in the encrypted payload to make sure the client can't tamper with it, so a compromised cookie can only be re-used for a certain amount of time. WsFed or OIDC based cookies use the auth token's lifetime by default, with no sliding expiration.
Marked as answer by serguk86 on 5/30/2014 at 1:41 PM
May 30, 2014 at 8:41 PM