问题
Is there built-in support in ASP.NET for preventing an auth ticket from being used after the user has logged out?
I have a site built using ASP.NET. After a user has logged on, a FormsAuthenticationTicket is sent to the user which is kept in the browser until the user logs out (at logout, the server tells the client to delete the cookie).
My issue is that even after the user has logged out and the cookie is deleted from the web browser, someone who has been able to intercept the cookie can continue to use it until it has expired. I do use HTTPS, but this doesn't prevent a trusted proxy in the middle from accessing the data.
I'm currently on ASP.NET v5 and couldn't find any built-in support for preventing this. I also tried to create a fresh ASP.NET Core project in VS2017 but I saw the same problem there (a cookie intercepted using Fiddler can be reused after logout).
I could store custom user data in the token and implement my own persistence store for keeping track of "valid auth tokens". But I wonder if there's some built-in way to accomplish it which I have not seen.
来源:https://stackoverflow.com/questions/46909226/prevent-re-use-of-authentication-cookie-in-asp-net