Claims URL exposed in browser history - security hole?

Question

Found this official ACS demo

http://www.fabrikamshipping.com while researching on ACS.

In the app itself, when logging in with one of the providers (I chose Google), I can see in the browser history (Chrome) the URL that contains the claims returned from ACS. It's the URL that starts with:

https://fabrikamshipping.accesscontrol.windows.net/v2/openid?context=pr%3dwsfederation%26rm%3dhttp%253a%252f%252ffabrikamshipping%252fcons...

Going to this URL logs me in the app, even after clearing all browser cache and cookies. So if I log in to the app from some public computer, and then log out, my account is exposed by going to this URL in the browser's history.

I know this is the standart way that ACS Identity handling works. What am I missing here ?

Edit:

I made some test app to reproduce the issue.

1)This is the code that runs when the user logsout :

protected void Page_Load(object sender, EventArgs e)
{
    FederatedAuthentication.WSFederationAuthenticationModule.SignOut(true);
}

2)This is the Token timeout  in the Relying Party settings:

3) I also tried to add these lines (all of them or combinations of them) to the logout :

FederatedAuthentication.SessionAuthenticationModule.SignOut();

FederatedAuthentication.SessionAuthenticationModule.DeleteSessionTokenCookie();

FederatedAuthentication.WSFederationAuthenticationModule.SignOut(false);

FormsAuthentication.SignOut();

HttpContext.Current.Session.Abandon();

HttpContext.Current.Session.Clear();

They have no effect on the result.

Answer 1

You post your question in stack overflow, does it fix your problem?

Answer 2

The answer I got there was not really a solution. Just an explanation. Read his answer and my comment to it. This is still an open issue for me.

Answer 3

Hi Yaron,

I can reproduce your situation in IE, not Chrome.

If you copy the Claim Tokem url in the address bar of browser, the website think you had logged in and redirect to the personal page and personal information page, right? Even though you close the browser and open a new instance or new a seesion.

The token is available if you have not log out by correct way, so you can use this url to login automatically, and after the token is expired (the default is 28800 seconds (8 hours).), the url will be unavailable. So if you think it's unsafe for customers, try to modify your policies of ACS (time out property) or add a logout button in your application.

See

http://msdn.microsoft.com/en-us/library/windowsazure/ee706706.aspx

or use Azure Management Portal.

"and then log out, my account is exposed by going to this URL in the browser's history"

I can not see the log out function in this sample, if you find it, please inform me.

Hope it can help you.

---

Please mark the replies as answers if they help or unmark if not. If you have any feedback about my replies, please contact msdnmg@microsoft.com Microsoft One Code Framework

Answer 4

There is no logout in the fabrikamshipping site. I did further testing in my own test app, and implemented logout.

Please read my updated question. I edited it and added the way I do logout.

For the token time out, I already changed it, and it dosen't help.

Do you have a working example that demonstrate the two things you mentioned (Setting the time out property and logging-out, which causes the Claims URL to not log you anymore ) ?

Answer 5

Hi,

I have just create a example for testing this situation.

First, when you login the Goole login page, please do not select "Stay signed in" checkbox below the Email and Password, if you select it, Google will help you to login with ACS.

Second, From the Request.Form property when you log in (Please set a break point for view it), you will find some Token and ACS information with it (you need decode it for several time), at last, you can get the Token life time, just like below:

<t:Lifetime>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
2012-02-08T05:36:58.426Z
</wsu:Created>
<wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
2012-02-08T05:37:03.426Z
</wsu:Expires>
</t:Lifetime>

The interval of created and expires time is 5 second because i set it in Management Portal as same as you.

So i think the Token life time is correct but some other things has happened, I guess it's WIF and Federation problems,ACS works fine, so i test it with another way.

If you think token expires is not make sense, please post the threads on WIF forum.

To use https://localhost/YourWebSite/ (your web site url) and input the Google account and password for login, add a button on the page and add following code in button's click event:

FederatedAuthentication.WSFederationAuthenticationModule.SignOut(true);

If you open the same page or new a tab of this Window, you will find the application is still available because of SessionAuthenticationModule (web.config) moduler, the application will create a cookie for manage sessions. So you must open a new window or new a session to open a windows or use another Browser (such as Chrome). It works fine, the application will redirect to Google login page.

Hope it can help you.

---

Please mark the replies as answers if they help or unmark if not. If you have any feedback about my replies, please contact msdnmg@microsoft.com Microsoft One Code Framework

Answer 6

About the Request.Form property that contains the interval, I will check it, but I have a feeling it will be correct. Other than that, what you said dosen't happen for me.  The Claims URL in history will log me in even if : 1) When I logged in I didn't checked remember me.   2) In the logout I put 

FederatedAuthentication.WSFederationAuthenticationModule.SignOut(true);  3) After logging out, I clean browser cache and cookies and close the browser. 

Answer 7

Hi Yaron,

Sorry for delay, do you copy the Claim Tokem url to access your application? If you use that url, the application will ask for a new Token for your request.

So please try to use normal inside page, such as person info page and have a try.

Hope it can help you.

---

Please mark the replies as answers if they help or unmark if not. If you have any feedback about my replies, please contact msdnmg@microsoft.com Microsoft One Code Framework

Answer 8

I am copying the app url but unfortunatly it still logs me in.

Answer 9

Hi Yaron,

This is identified as an known issue. One openID token should be accepted by RP for only once, but ACS does not fully recognize the Google openid token, so ACS accepted the same token for second time.

This issue is caused by some incompatible implementation decisions that were made by different identity providers.

We are making further research on this issue, I will get back and provide update here.

Thanks,

---

Mog Liang

Answer 10

Thanks Mog Liang. I am marking your post as an answer until a solution will be provided.

Answer 11

Hi Yaron,

Unfortunately, we don't have the Reply detction feature in current version of ACS. We will implement this feature in furture release, however, there isn't a timeframe yet.

Thanks,

Mog Liang

---

Mog Liang