Identityserver4: Invalidate client side cookie with token service
Just wanted to clarify my knowledge and ensure there wasn't a configuration piece I was missing.
Upon successful sign-in the browser is issued idsrv.session and .AspNetCore.Cookies cookies which allowed repeated access to the /connect/authorize endpoint to be handled without having to login again (unless prompt=login param is found)
When the end user browses to /connect/endsession these 2 cookies are cleared up, however it appears as if these cookies are entirely self-contained with no server side representation of them to allow server side invalidation. Result is that if they were to be compromised that they could be used in a replay attack to reissue tokens.
Is there any kind of configuration that I am missing or risk mitigation I can implement to reduce this problem?
garymacpherson
All 3 comments
You can configure the cookie handler in ASP.NET Core to store a server-side representation of them (via ITicketStore SessionStore on the cookie options). That's an ASP.NET Core feature, so check the Microsoft docs.
brockallen
on 18 Apr 2018
Cheers for the direction.
garymacpherson
on 18 Apr 2018
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
![lock[bot] picture](https://avatars1.githubusercontent.com/in/6672?v=4&s=40)
lock[bot]
on 13 Jan 2020
Related issues
leksim
路
3Comments
brockallen
路
3Comments
Aravind1729
路
3Comments
cixonline
路
3Comments
agilenut
路
3Comments
Most helpful comment
You can configure the cookie handler in ASP.NET Core to store a server-side representation of them (via ITicketStore SessionStore on the cookie options). That's an ASP.NET Core feature, so check the Microsoft docs.