MVC 4 Web Api Security

About

Asked 15/10, 2013 at 7:7 Answered 15/10, 2013 at 8:33

Solved asp.net web-services security asp.net-mvc-4 asp.net-web-api

I am very new in web api security. I have used form authentication technique. when user logs in, a token is created and stored as a cookie in user's web browser. On each request the token is varified and if user is authenticated and authorized user is given access to the service.

but I think this approach does nothing in web api security. cookies can easily be copied and pasted in other browser and anyone can get the service.

I am thinking to use App key and secret along with form authentication. I am not suggested to use third party service like Oauth for authentication. I am not Sure about the Implementation of app key and secret that how it exactly works.

Please provide better way to secure my web api wihtout using third party services and to prevent cookie hijacking etc. What actions are performed to build a strengthly secure web api.

Felt answered 15/10, 2013 at 7:7 Comment(4)

"cookies can easily be copied and pasted in other browser and anyone can get the service." - this does require a logged in account though. – Narrow 15/10, 2013 at 8:46

How will you know that the authentication cookies are coming from logged in account. user has access of services if he has authentication token which is stored in cookie. if any other user copies the the cookie and token is not expired, he will also be authenticated. – Felt 15/10, 2013 at 8:52

And if I copy your Facebook cookie I can stalk your friends. See Forms Authentication Cookie value vulnerability for example for a discussion on that topic. – Narrow 15/10, 2013 at 8:56

@Felt please check my answer below. Your worries are valid. But check your authentication cookie and make sure it is httpOnly, and I would not give the user ability to stay logged (don't store cookies). You might also choose a short idle time out if you are so worried. – Reservist 15/10, 2013 at 15:43

The forms authentication is good enough. You can also do the following:

Use anti-forgery (antifrogery) tokens. Check this or this
It will also be great if on sensitive actions you check if the call to the function was made from the same site or not.You can implement your own action filter for this. (check if the referral site is your site, or the expected site)

Edited:

Thanks guys for your comments. I guess you are right. Well authentication cookies in ASP are created as httpOnly cookies which means even if the site had some XSS vulnerabilities it will still be safe and cant be stolen. I would also suggest to use https everywhere if the site is used for sensitive operations (like a bank) to make sure the cookies are perfectly safe.

Reservist answered 15/10, 2013 at 8:33 Comment(6)

AntiForgeryToken is for cross-site request forgery, which has little to do with security. The referrer is by no means a way of security as it is user input. – Narrow 15/10, 2013 at 8:45

@Narrow It has little to do with Authentication. Preventing a cross-site forgery attack has a fair bit to do with security. – Halona 15/10, 2013 at 8:58

guys btw forgery attacks can be very serious – Reservist 15/10, 2013 at 16:22

Now my problem is that how to implement anti forgery in .aspx pages. I don,t know why but they have used .aspx pages insted of Razor view. – Felt 16/10, 2013 at 5:31

sorry can't help you with syntax for that – Reservist 16/10, 2013 at 9:28

Antifrogery? What do you have against frogs? – Amorous 5/12, 2013 at 17:46

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Edited:

Recommended topics

Hot tags