Disclaimer

Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Mar 2, 2012

How to enable WIF token replay detection

Windows Identity Foundation (WIF) is vulnerable to replay of security tokens in its default configuration. The "Replay Detection" article on MSDN presents a good example of how things can go wrong without the replay detection (why do everyone have to use online banking as their example?):
As another example, suppose that a user opens a browser on a public kiosk, logs on to a bank account using the bank’s Web site, logs off and leaves, but does not close the browser. The response to the user’s logon page, which contains the STS token, is still in the browser’s history. Another person could then browse back to that response page and replay it, which would repost the STS token to the bank’s Web site.
This scenario is very much real and it does not involve any fancy hacking techniques. All you need is a browser and a "back" button. You'll find some scattered references on the Internet to the solution of the problem, the tokenReplayDetection configuration setting. You'll find a mention of the configuration element in the WIF FAQ on Technet and in the WIF book, but you'll find the most helpful explanation in the ACS security guidelines.

I'll cut to the chase, here's the config to enable the token replay detection. Please don't use the parameters as is, read the security considerations and tweak the values accordingly. Seriously.


<microsoft.identityModel>
  <service>
    <tokenReplayDetection enabled="true" capacity="1000" expirationPeriod="00:10:00" />
  </service>
</microsoft.identityModel>

Note that the expirationPeriod attribute expects a TimeSpan. See the TimeSpan.Parse method for examples on how to set the value. You might be surprised to see that e.g. a value of "10" would make it ten days, and not 10 minutes. My example would make it ten minutes.

Security considerations
The replay detection is based on a cache that keeps track of security tokens already seen. The "Replay detection" article explains more about how it works:
This cache does not guarantee that a token can never be replayed. It performs best effort detection based on the size of the cache, the expiry time of the STS token, and the rate of unique authentication requests received by the RP. It is strongly recommended that you tune the cache size and STS token expiry time for your RP to get the right balance between performance and security.
First and foremost, the expirationPeriod must be longer than the period the security tokens are valid. Security tokens should not expire from cache before they have expired themselves. If a token is valid for five minutes, you would want to cache it for at least six minutes. After six minutes it would not be valid anymore, hence it cannot be replayed and can be safely removed from cache.

You need to estimate how many tokens you would need to keep in the cache for the duration of the expirationPeriod. This value is highly dependent on the traffic on your site. You should of course base this estimate on the peak hours of the site and set the capacity attribute accordingly.

Finally, there's the issue of server affinity. Your now fine tuned replay detection cache is not shared between servers. That means that you need to have sticky sessions if you're running a web farm — to ensure that a client keeps hitting the same server. If the user hits a new server, the security token will not be found in the cache.

Verifying replay detection
It's important to verify that the replay detection works. To do that you could log out of your application. Then go back to the page where the security token was submitted and trigger the browser to "resubmit the form." Another approach would be to use a tool such as Fiddler to replay the web request where your security token is posted to WIF. When WIF detects a replayed token it will throw the following exception:
ID1062: Replay has been detected for: Token: 'System.IdentityModel.Tokens.SamlSecurityToken', AssertionId: '_b3f7608b-9c6f-4efc-8300-3e8373f62df3', Issuer: 'Name of STS'. 
Don't assume that replay detection works, verify that a replay triggers the exception!

Remaining security risks
Unfortunately, even if you do everything right, things can still go wrong in the default WIF setup.

  • If a server is removed from cluster, all tokens that are cached on that server (but not expired) can be replayed. They'd hit another server which would accept the token, sign in the user and put the security token in its cache.
  • If the capacity of the cache is exceeded, valid tokens should be expected to be purged from the cache. Hence, they could be replayed to the very same server. So choose the capacity wisely!

You would have to implement your own SecurityTokenCache, backed by e.g. AppFabric or a SQL server, to share the security token cache between servers. Hopefully there will be built-in providers in the not so distant future, now that WIF will be incorporated in the .NET framework.

There, hope that helps!

PS! It seems the configuration might be changing for .NET 4.5 where WIF will be included in the System.IdentityModel namespace. According to the 4.5 documentation, there's no capacity attribute.

50 comments:

  1. Good article! Thank you! Something that I am not clear on is how the replay detection works.

    Does it simply detect the replay of tokens that should have expired already or does it detect a token being replayed from multiple locations?

    I have a scenario where we actually make use of token replay within our system. Client logs on to our system, does some operation. He moves on, close the browser what ever.. The operation gets executed in the back-end and eventually we need to call back into the website where some legacy code that has not yet been ported to the back-end exist. But for the back-end to call into the website and to execute under the same users context we need to replay the token of the requesting user.

    How will token replay affect the scenario above?

    ReplyDelete
  2. Thank you for such a nice detailed post. I always love to read your site content as these are really helpful for me.

    goldenslot
    สล็อตออนไลน์
    สมัคร gclub

    ReplyDelete
  3. Thank you! I'm glad to find this article here.
    www.hotmail.com

    ReplyDelete
  4. تعمل شركة اللمسه في مكافحة الحشرات مثل النمل والصراصير وجميع انواع الحشرات بأبها الان ، وتعتبر شركة اللمسه من اشهر شركات مكافحة الحشرات في السعودية , لدينا عمالة مدربة ومتخصصة المواد المستخدمة فى مكافحة الحشرات غير ضارة على الانسان وليس لها روائح نعمل بدون مغادرة المنزل نعمل على راحة عملائنا .
    شركة مكافحة النمل الابيض بنجران
    شركة رش مبيدات بالخرج
    شركة مكافحة حشرات بالخرج
    شركة مكافحة النمل الابيض بالخرج
    شركة رش مبيدات بأبها
    شركة مكافحة حشرات بأبها
    شركة مكافحة النمل الابيض بأبها
    شركة رش مبيدات بنجران
    شركة مكافحة حشرات بنجران
    شركة رش مبيدات بالعينه


    ReplyDelete
  5. Thank you very much for publishing this kind of article. I like your article a lot. I actually want to share my website details with you please produce some information to increase performance like as your website.

    ReplyDelete
  6. During higher studies in colleges, students often have to prepare multiple documents, quizzes and surprise tests. This is the main reason why most students search for online assignment help Australia over the internet and choose only the most proficient and trusted academic writing experts. Law assignment help Australia in understanding how legal theories and concepts can be enforced in the real world. That is why Australian search engine is filled with the terms such as help essay, assignments in essay, assignment help usa, service companies who deals in essay writing, help essay writing, who can do my essay assignment, help with essay, I am in need essay help, who can help with my essay problem, and many more. Therefore, it is advisable for students to seek professional law assignment helps. Help with Assignment in understanding how legal theories and concepts can be enforced in the real world.

    ReplyDelete
  7. Web Ocean Design is the best IT services provider for complete mobile and web application development. The young development company based in Bihar, India, owned and managed by Vicky who have a good amount of experience in Information Technology, Management and other related fields. We provide technical and creative services ranging from Internet Marketing to Communication maneuver. We are also skilled in website development which includes brand promotion, web designing and software development.

    website design company in patna
    website development company in patna
    website development in patna

    web design company in patna
    web development company in patna
    website design in patna

    website design patna
    seo company in patna
    seo company in bihar

    ReplyDelete
  8. Web Ocean Design is the best IT services provider for complete mobile and web application development. The young development company based in Bihar, India, owned and managed by Vicky who have a good amount of experience in Information Technology, Management and other related fields. We provide technical and creative services ranging from Internet Marketing to Communication maneuver. We are also skilled in website development which includes brand promotion, web designing and software development.

    best seo company in patna
    digital marketing company in patna
    best website design company in patna

    affordable seo service in patna
    website optimization in patna
    educational internet marketing company patna

    social media marketing company patna
    real estate seo company in patna
    ecommerce seo company patna

    ReplyDelete
  9. 90minup ข่าวกีฬา ฟุตบอล ผลบอล วิเคราะห์บอล พรีเมียร์ลีก ฟุตบอลไทย
    ข่าวกีฬา
    ข่าวฟุตบอล
    ฟุตบอลไทย
    ฟุตบอล
    วิเคราะห์บอล
    ผลบอล
    90minup

    ReplyDelete
  10. โปรโมชั่นใหม่ “แจกโบนัส สูงสุดทันที 1,000 บาท”
    gclub online โปรโมชั่น แบบครบวงจรที่คอยอัพเดทข่าวสารเกี่ยวกับโปรโมชั่น จีคลับ บาคาร่าออนไลน์ สล็อตออนไลน์ ตลอดทั้ง 24 ชั่วโมง เพื่อให้ท่านได้สามารถเข้าร่วมสนุกไปกับเกมออนไลน์ของเราได้ตลอดเวลาโปรโมชั่นสำหรับสมาชิก Premium, VIP ที่แจกโบนัสให้สูงที่สุด 10% และโปรโมชั่นแบบรายวัน สำหรับคำขอบคุณที่มอบให้กับ โปรโมชั่น gclub

    ReplyDelete
  11. ที่พักเกาะล้าน ที่พักเกาะล้าน เกาะสวยน้ำใสใกล้กรุงเทพแห่งนี้ คือ ที่เที่ยวยอดฮิตของนักท่องเที่ยวจากทั่วทุกสารทิศ
    และแน่นอนว่าบนเกาะล้านแห่งนี้นั้นยังมี ที่พักเกาะล้าน สวยๆ ไว้ให้บริการอีกมากมาย treetep.com


    สมัครใช้งาน Gmail
    บ้านโมเดิร์น
    บ้านและการตกแต่ง
    เครื่องชงกาแฟสด

    ReplyDelete
  12. the desire to change the floors and also the companies that periodically clean the floors but are always exposed to dirt, the company offers the best service in the cleaning of the cleaning companyشركة النجوم لخدمات التنظيف
    شركة تنظيف فلل بجدة
    شركة تنظيف بيوت بجدة
    شركة تنظيف شقق بجدة

    ReplyDelete
  13. You attain full value for the money which you put in to access when you seek who can write my research paper, as well as other types of best writing services from our firm which include dissertations, theses, reviews any different writings.

    ReplyDelete
  14. Companies offering affordable custom research papers should help students perform well by delivering papers prior to deadline. Early delivery of essay writing service nursing is very important because it results in good performance of learners.

    ReplyDelete
  15. Assignment studio.net is the place if you are struggling with your thesis or evaluation paper. We have professional thesis, essay writers to help you with any kind of assignment help.
    For further information queries visit our website thesis writing

    ReplyDelete
  16. Through our exceptional Information Technology Writing Service, we have helped thousands who are stuck with their assignments. Our company offers the Psychology Writing Service to the clients.

    ReplyDelete
  17. Web Ocean Design is the best IT services provider for complete mobile and web application development. The young development company based in Bihar, India, owned and managed by Vicky who have a good amount of experience in Information Technology, Management and other related fields. We provide technical and creative services ranging from Internet Marketing to Communication maneuver. We are also skilled in website development which includes brand promotion, web designing and software development.

    ||website design company in patna||
    ||website development company in patna||
    ||website development in patna||

    ||web design company in patna||
    ||web development company in patna||
    ||website design in patna||

    ||website design patna||
    ||seo company in patna||
    ||seo company in bihar||

    ReplyDelete
  18. Web Ocean Design is the best IT services provider for complete mobile and web application development. The young development company based in Bihar, India, owned and managed by Vicky who have a good amount of experience in Information Technology, Management and other related fields. We provide technical and creative services ranging from Internet Marketing to Communication maneuver. We are also skilled in website development which includes brand promotion, web designing and software development.

    ||best seo company in patna||
    ||digital marketing company in patna||
    ||best website design company in patna l,||

    ||affordable seo service in patna||
    ||website optimization in patna||
    ||educational internet marketing company patna||

    ||social media marketing company patna||
    ||real estate seo company in patna||
    ||ecommerce seo company patna||

    ReplyDelete
  19. Thanks for this valuable information sharing, and i learned a lot and cleared my all doubts in this.. keep posting like this useful information.
    post free classified ads in india

    ReplyDelete

Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts