Skip to content
This repository has been archived by the owner on Sep 18, 2021. It is now read-only.

Partial login security enhancement #346

Closed
brockallen opened this issue Sep 9, 2014 · 4 comments
Closed

Partial login security enhancement #346

brockallen opened this issue Sep 9, 2014 · 4 comments

Comments

@brockallen
Copy link
Member

  • Issue GUID for the PartialLoginReturnUrl claim
  • Put GUID into cookie (protected)
  • Validate GUID in ResumeLoginFromRedirect
@cortex93
Copy link

cortex93 commented Sep 9, 2014

Who will emit the Guid into the cookie ?
Would it be possible to simply remove the returnUrl claim in custom code. You should resume only if no need to redirect. I was thinking about an helper method EndPartialLoginAndRedirect to do that and ease custom code.
This scenario could then enable chained custom partial login ?

@brockallen
Copy link
Member Author

The GUID would be managed by the authentication page. This also allows parallel logins (multiple tabs).

The security problem is that the user could simply type in the well-known URL and bypass your custom web pages.

@brockallen
Copy link
Member Author

This has been fixed on the dev branch.

@cortex93
Copy link

cortex93 commented Oct 7, 2014

Not tested yet but implementation is good for me

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

3 participants