ASP.Net MVC伪造的声明令牌仍然有效

时间:2013-05-07 14:38:12

标签: asp.net-mvc-4 .net-4.5 wif claims-based-identity thinktecture-ident-model

我在.Net 4.5中有一个asp.net MVC 4项目。

我已设置基于声明的身份验证以保护我的网站。

登录后我有一个非常奇怪的行为。如果我编辑FedAuth cookie并在令牌部分手动更改值,如果我尝试刷新我的页面它将起作用。

在我的web.config中,我有这个:

<configSections>
  <section name="system.identityModel" 
           type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
  <section name="system.identityModel.services" 
           type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
</configSections>

...

<modules>
  <remove name="FormsAuthentication" />
  <remove name="WindowsAuthentication" />
  <add name="SessionAuthenticationModule" 
       type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</modules>

...

<system.identityModel>
  <identityConfiguration>
    <claimsAuthorizationManager 
      type="Project.Web.MyClaimAuthorizationManager, Project.Web, Version=1.0.0.0, Culture=neutral" />
    <securityTokenHandlers>
      <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
      <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
    </securityTokenHandlers>
  </identityConfiguration>
</system.identityModel>

我正在我的项目中注册此过滤器

    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
    {
        filters.Add(new HandleErrorAttribute());
        filters.Add(new AuthorizeAttribute());
    }

我创建了一个像这样的标记

    public void IssueAuthTicket(string nameIdentifier, string name, bool persist)
    {
        var claims = new List<Claim>
                         {
                             new Claim(ClaimTypes.NameIdentifier, nameIdentifier),
                             new Claim(ClaimTypes.Name, name)
                         };
        var ci = new ClaimsIdentity(claims, "Forms");
        var cp = new ClaimsPrincipal(ci);

        var token = new SessionSecurityToken(cp);
        FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(token);
    }

如果我base64解码令牌我有这个

<?xml version="1.0" encoding="utf-8"?>
<SecurityContextToken xmlns:p1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" p1:Id="_b686b435-7153-44c4-816f-f5aba60d4ee8-86A9E23C43E7AFDA5B390C4EEDD7C694">
<Identifier>urn:uuid:667635fb-c98e-4cf0-be9e-805957589876</Identifier>
<Cookie xmlns="http://schemas.microsoft.com/ws/2006/05/security">v6KYxH2MmIw2IHWasLfLF5DvE8r8mzpcB6FCUZjIJAfrVBruiqxTujm3ZAdGlNRHt6xarPtnOhuBBNm1nAGrInz46fjK5Wu+8aWQpQBczWyceeummyn8SLt2Wr49J6q2A6k7QC73KR7eIuLATkWmQT2AQco42oPi2a+3x/TSOi/ZIjLWeLlomeFF7/j8uhoVxxhDir2Hamp66L5UPhQaUvhq5UfZR5AS0Y17OmXbVdKqSn5x8+7KtJ85CXavvijDibd5AFTwc7sAK66w6n5jKDxxyfYOH4w8jrMB5OpP0o0rWnfOAut7jFq+ECHPGSWs4acXVIAM9wMvryRxo0cnREVgyn1UX/jDnX8PmwaVgo9aCyjPKPgUhaYPL6lV6AYneQTZTUxjd2nB+P9raM9Kp2wsn8lxVZ7vmmK/ZL15S51bHcDWRdG7GDpxv2IhFMnZnBxltDEEkA/G6mYDR7Vl/x5HfoTADfJXmsrhAa8W6t+IudPIePNKZrKZVGnlatYFrKdAjQwn4/7aOS+Zk11E2PuD8GP6BLs5ADgjODxm06bPVWTEItbdi5sT5L6B0bnfPpI0LNUTaLgKvfxd8JLggtIEiGnkr0kHz6+p/KMVglwm9HZp60ojh2uf98YzdsH5DQ/iPwTduFPy9JtgdMGytfsMW0GHAhtM0FY1yPD8mgSryoYdF7IaBnC1fvZ3ZnMimaNRCv7MXt0LnJbT31cHFrH3V+VJ6xCibDK7Jhp1fHlZTEpE6FDZo9P6cNvj3xnNrsKn4lmecUNeHo9fZRwk0yCBfzqPOSvjzfKJNf8vy3A=</Cookie>

并更改cookie元素的第一个字符(v - &gt; 1)

<?xml version="1.0" encoding="utf-8"?>
<SecurityContextToken xmlns:p1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" p1:Id="_b686b435-7153-44c4-816f-f5aba60d4ee8-86A9E23C43E7AFDA5B390C4EEDD7C694">
<Identifier>urn:uuid:667635fb-c98e-4cf0-be9e-805957589876</Identifier>
<Cookie xmlns="http://schemas.microsoft.com/ws/2006/05/security">16KYxH2MmIw2IHWasLfLF5DvE8r8mzpcB6FCUZjIJAfrVBruiqxTujm3ZAdGlNRHt6xarPtnOhuBBNm1nAGrInz46fjK5Wu+8aWQpQBczWyceeummyn8SLt2Wr49J6q2A6k7QC73KR7eIuLATkWmQT2AQco42oPi2a+3x/TSOi/ZIjLWeLlomeFF7/j8uhoVxxhDir2Hamp66L5UPhQaUvhq5UfZR5AS0Y17OmXbVdKqSn5x8+7KtJ85CXavvijDibd5AFTwc7sAK66w6n5jKDxxyfYOH4w8jrMB5OpP0o0rWnfOAut7jFq+ECHPGSWs4acXVIAM9wMvryRxo0cnREVgyn1UX/jDnX8PmwaVgo9aCyjPKPgUhaYPL6lV6AYneQTZTUxjd2nB+P9raM9Kp2wsn8lxVZ7vmmK/ZL15S51bHcDWRdG7GDpxv2IhFMnZnBxltDEEkA/G6mYDR7Vl/x5HfoTADfJXmsrhAa8W6t+IudPIePNKZrKZVGnlatYFrKdAjQwn4/7aOS+Zk11E2PuD8GP6BLs5ADgjODxm06bPVWTEItbdi5sT5L6B0bnfPpI0LNUTaLgKvfxd8JLggtIEiGnkr0kHz6+p/KMVglwm9HZp60ojh2uf98YzdsH5DQ/iPwTduFPy9JtgdMGytfsMW0GHAhtM0FY1yPD8mgSryoYdF7IaBnC1fvZ3ZnMimaNRCv7MXt0LnJbT31cHFrH3V+VJ6xCibDK7Jhp1fHlZTEpE6FDZo9P6cNvj3xnNrsKn4lmecUNeHo9fZRwk0yCBfzqPOSvjzfKJNf8vy3A=</Cookie>

我在base64中重新编码并将其注入FedAuth cookie,它仍然有效

我应该从哪里开始寻求解决这个问题?

由于

1 个答案:

答案 0 :(得分:2)

好的 - 我想我现在记得那是怎么回事 -

当写入会话cookie时,它也会缓存在内存中(无论IsReference模式如何)。 在读取时,cookie中的标识符用于尝试首先从缓存中重新水化会话令牌。只有当这个失败时,才会使用实际的cookie(我想节省验证成本)。

这解释了你所看到的。修改标识符将使请求失败。