Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...Logout does not kill all sessionsLogout does not kill all sessions
Previous
 
Next
New Post
1/30/2015 1:56 PM
 
David Demland


Joined: 1/30/2015
Posts: 6
I have no idea how to correct this. It seems like a security issue and I have not been able to find any information on how to fix this issue.

Scenario:

Setup:
    Windows 7, Chrome Browser, Edit this Cookie extension
    VM running KUbuntu desktop, Chrome Browser, Edit this Cookie extension
    DNN HTTPS Site with use logins

Process:
    Using the Windows 7 system go to the DNN site and login.
    Using the Edit Cookie extension to export all cookies from DNN page to the clipboard.
    Paste cookies into text editor, re all cookies except .DOTNETNUKE cookie.
    Copy to clipboard.
    In KUbuntu VM select Edit this Cookie extension and select import cookie.
    Paste cookie into dialog and select the check.
    Copy URL from Windows 7 browser into KUbuntu browser and use return.
    KUbuntu system goes to the web page without authenticating.
    Both browsers can move around web site.
    In the Windows 7 browser select logout, browser page goes to the login page.
    KUbuntu browser can navigate site because it is still logged in.

Information found:
On the DNN site (http://www.dnnsoftware.com/forums/threadid/497917/scope/posts/session-fixation) shows a way to timeout session by inserting:
    private void DoLogoff()
    {
        try
        {
       
        //Remove user from cache
        if (User != null)
        {
            DataCache.ClearUserCache(PortalSettings.PortalId, Context.User.Identity.Name);    }
   
            Session.Clear();             ///  add these two lines
        Session.Abandon();      ///  add these two lines

        var objPortalSecurity = new PortalSecurity();
        objPortalSecurity.SignOut();
        }
   
        catch (Exception exc)    //Page failed to load
        {
            Exceptions.ProcessPageLoadException(exc);
        }
    }

Adding the two lines do not fix this continuous logon. This is an issue for our PCI penetration test. What has to be done to invalid the second session when the primary session logs off?
 
New Post
1/31/2015 11:01 AM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676
Please note, all suspected security issues should be sent to community.security@dnnsoftware.com.

This is a false-postive. That is behaviour by design. This is a standard asp.net forms authentication cookie which contains an expiration date value i.e. there is no server-side value to expire. Sites can control the expiration of this cookie via the forms node timeout, and there is code to ensure that the cookie cannot be tampered with or decrypted (as well as code to ensure that it cannot be captured via javascript). The reason the cookie does not create a new session on login is that the forms authentication cookie contains its own expiration date. This is standard asp.net practice and DNN does not do anything different here, except in one respect where we improved upon asp.net’s behavior by introducing an additional value that would allow different timeouts to be specified for temporary and persistent forms authentication cookies (http://www.dnnsoftware.com/wiki/page/...). Note: we support the ability to disable persistent forms auth cookies (via “remember me”) as an installation setting  - see http://www.dnnsoftware.com/wiki/page/...

Finally, session replay attacks require cookies to be captured. The most common way to do so is via malicious javascript. DNN implements protection for this via the HttpOnly attribute which we apply to all cookies -the HttpOnly attribute directs browsers to use cookies via the HTTP protocol only. An HttpOnly cookie is not accessible via non-HTTP methods, such as calls via JavaScript (e.g., referencing "document.cookie"), and therefore cannot be stolen easily via cross-site scripting attacks.

The other way that a cookie can be stolen is if it is intercepted during transmission by a node on the network (e.g. a load balancer, firewall, router etc.). Whilst this is less common, asp.net has standard protection for this which is to ensure that the cookie is only transmitted over a secure channel (i.e. HTTPS). To do so, a secure attribute must be set on the cookie. As we do not know in advance if a site has SSL enabled, we cannot set that value for them. However, it’s extremely easy for a site to set that value for themselves. To do so, simply edit web.config and set requireSSL to true on the httpCookies node i.e. the default in DNN looks like this:

 

<httpCookies httpOnlyCookies="true" requireSSL="false" domain="" />

 

This should be updated as so:

<httpCookies httpOnlyCookies="true" requireSSL="true" domain="" />

 

Note: some sites don’t both setting the attribute on all cookies, as mostly they contain harmless information. Typically only the forms authentication cookie is the target of interception so asp.net allows the requireSSL attribute to be set just for that cookie i.e the default looks like this:

 

<forms name=".DOTNETNUKE" protection="All" timeout="60" cookieless="UseCookies" />

 

And the secure version would look like this:

<forms name=".DOTNETNUKE" protection="All" timeout="60" cookieless="UseCookies"  requireSSL=”true”/>

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
 Page 1 of 1
Previous
 
Next
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...Logout does not kill all sessionsLogout does not kill all sessions


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out