Disclaimer

Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Mar 2, 2012

How to enable WIF token replay detection

Windows Identity Foundation (WIF) is vulnerable to replay of security tokens in its default configuration. The "Replay Detection" article on MSDN presents a good example of how things can go wrong without the replay detection (why do everyone have to use online banking as their example?):
As another example, suppose that a user opens a browser on a public kiosk, logs on to a bank account using the bank’s Web site, logs off and leaves, but does not close the browser. The response to the user’s logon page, which contains the STS token, is still in the browser’s history. Another person could then browse back to that response page and replay it, which would repost the STS token to the bank’s Web site.
This scenario is very much real and it does not involve any fancy hacking techniques. All you need is a browser and a "back" button. You'll find some scattered references on the Internet to the solution of the problem, the tokenReplayDetection configuration setting. You'll find a mention of the configuration element in the WIF FAQ on Technet and in the WIF book, but you'll find the most helpful explanation in the ACS security guidelines.

I'll cut to the chase, here's the config to enable the token replay detection. Please don't use the parameters as is, read the security considerations and tweak the values accordingly. Seriously.


<microsoft.identityModel>
  <service>
    <tokenReplayDetection enabled="true" capacity="1000" expirationPeriod="00:10:00" />
  </service>
</microsoft.identityModel>

Note that the expirationPeriod attribute expects a TimeSpan. See the TimeSpan.Parse method for examples on how to set the value. You might be surprised to see that e.g. a value of "10" would make it ten days, and not 10 minutes. My example would make it ten minutes.

Security considerations
The replay detection is based on a cache that keeps track of security tokens already seen. The "Replay detection" article explains more about how it works:
This cache does not guarantee that a token can never be replayed. It performs best effort detection based on the size of the cache, the expiry time of the STS token, and the rate of unique authentication requests received by the RP. It is strongly recommended that you tune the cache size and STS token expiry time for your RP to get the right balance between performance and security.
First and foremost, the expirationPeriod must be longer than the period the security tokens are valid. Security tokens should not expire from cache before they have expired themselves. If a token is valid for five minutes, you would want to cache it for at least six minutes. After six minutes it would not be valid anymore, hence it cannot be replayed and can be safely removed from cache.

You need to estimate how many tokens you would need to keep in the cache for the duration of the expirationPeriod. This value is highly dependent on the traffic on your site. You should of course base this estimate on the peak hours of the site and set the capacity attribute accordingly.

Finally, there's the issue of server affinity. Your now fine tuned replay detection cache is not shared between servers. That means that you need to have sticky sessions if you're running a web farm — to ensure that a client keeps hitting the same server. If the user hits a new server, the security token will not be found in the cache.

Verifying replay detection
It's important to verify that the replay detection works. To do that you could log out of your application. Then go back to the page where the security token was submitted and trigger the browser to "resubmit the form." Another approach would be to use a tool such as Fiddler to replay the web request where your security token is posted to WIF. When WIF detects a replayed token it will throw the following exception:
ID1062: Replay has been detected for: Token: 'System.IdentityModel.Tokens.SamlSecurityToken', AssertionId: '_b3f7608b-9c6f-4efc-8300-3e8373f62df3', Issuer: 'Name of STS'. 
Don't assume that replay detection works, verify that a replay triggers the exception!

Remaining security risks
Unfortunately, even if you do everything right, things can still go wrong in the default WIF setup.

  • If a server is removed from cluster, all tokens that are cached on that server (but not expired) can be replayed. They'd hit another server which would accept the token, sign in the user and put the security token in its cache.
  • If the capacity of the cache is exceeded, valid tokens should be expected to be purged from the cache. Hence, they could be replayed to the very same server. So choose the capacity wisely!

You would have to implement your own SecurityTokenCache, backed by e.g. AppFabric or a SQL server, to share the security token cache between servers. Hopefully there will be built-in providers in the not so distant future, now that WIF will be incorporated in the .NET framework.

There, hope that helps!

PS! It seems the configuration might be changing for .NET 4.5 where WIF will be included in the System.IdentityModel namespace. According to the 4.5 documentation, there's no capacity attribute.

79 comments:

  1. Good article! Thank you! Something that I am not clear on is how the replay detection works.

    Does it simply detect the replay of tokens that should have expired already or does it detect a token being replayed from multiple locations?

    I have a scenario where we actually make use of token replay within our system. Client logs on to our system, does some operation. He moves on, close the browser what ever.. The operation gets executed in the back-end and eventually we need to call back into the website where some legacy code that has not yet been ported to the back-end exist. But for the back-end to call into the website and to execute under the same users context we need to replay the token of the requesting user.

    How will token replay affect the scenario above?

    ReplyDelete
  2. Thank you very much for publishing this kind of article. I like your article a lot. I actually want to share my website details with you please produce some information to increase performance like as your website.

    ReplyDelete
  3. During higher studies in colleges, students often have to prepare multiple documents, quizzes and surprise tests. This is the main reason why most students search for online assignment help Australia over the internet and choose only the most proficient and trusted academic writing experts. Law assignment help Australia in understanding how legal theories and concepts can be enforced in the real world. That is why Australian search engine is filled with the terms such as help essay, assignments in essay, assignment help usa, service companies who deals in essay writing, help essay writing, who can do my essay assignment, help with essay, I am in need essay help, who can help with my essay problem, and many more. Therefore, it is advisable for students to seek professional law assignment helps. Help with Assignment in understanding how legal theories and concepts can be enforced in the real world.

    ReplyDelete
  4. the desire to change the floors and also the companies that periodically clean the floors but are always exposed to dirt, the company offers the best service in the cleaning of the cleaning companyشركة النجوم لخدمات التنظيف
    شركة تنظيف فلل بجدة
    شركة تنظيف بيوت بجدة
    شركة تنظيف شقق بجدة

    ReplyDelete
  5. Assignment studio.net is the place if you are struggling with your thesis or evaluation paper. We have professional thesis, essay writers to help you with any kind of assignment help.
    For further information queries visit our website thesis writing

    ReplyDelete
  6. Thank you for your excellent article. I feel good about your article.
    slotxo

    ReplyDelete
  7. This article makes life happy, bright and gives good ideas.
    Sa gaming สมัคร

    ReplyDelete
  8. Thanks for posting How to enable WIF token replay detection. I was facing this trouble and worried about accurate information. Your post has helped me a lot . I love to read the security consideration which you have informed in your blog post. Essay Writing Service

    ReplyDelete
  9. Our team of Ethics Essay Writing Services is comprised of professionals who have experience in delivering Ethics Research Writing Services. The company also offers Online Essay Writing Services At affordable cost.

    ReplyDelete
  10. We take charge with 24/7 Emergency Alarm response notification you have an option with us to do it yourself or have a monitoring supervisor do it for you. we believe in providing Tailored security as per each individual client.
    Help is only a button press away – all our operators speak with the user directly through the Medical Alert. No landline or installation required – Product arrives ready to use.
    Mobile Medical Alert System enables the user to alert an Emergency wherever, whenever. Automatic Fall Detection features, incase you can't press the button. Magnetic charger and voice activation for the partially sighted and those with dexterity.
    Download our APP for Android & IOS – Suitable for Family members or carers. Receive instant SOS and Fall notifications wherever, whenever. Have full control over your loved one's preferences and talk directly to user through your smartphone to the Medical Alert System. Yoga Yoga 4th July Maharaja Express Fare

    ReplyDelete
  11. It is sleeping to brainwave a no sound Golden State unit equity loan even if the gala is merchant strong, as a lot depends on the territory wherever the haunt is located, and equity deep rooted by the possessor. These hangout assets loans can be nearly new for repairs, home ground improvement, and opposite disconnected costs. The idea these planet assets loans are agreed is thatability at hand is no citation of go.

    Analysts said Ms. Sinema won by careful MK Outlet Online campaigning. While not a fan of Mr. 16, Cheap Michael Kors Handbags 2016" > >SeaWorld Orlando announces Blue Friday dealsDewayne BevilSeaWorld Orlando has added several Coach Outlet Clearance Sale holiday offerings to its Blue Ray Ban Outlet Friday promotion, its take Nike Air Force 1 Cheap Outlet on the Jordan Shoes For Sale Black Friday shopping phenomenon. The deals will be available only online Best Yeezys from midnight Eastern Standard Time on Nov. On Monday, Coach Outlet Online Nov..

    ReplyDelete
  12. I don’t usually read blog posts, but I’d like to think this write-up really forced me to try and do it! Your writing style took me by surprise. Thanks, good post, really nice.
    beechtree sale

    ReplyDelete
  13. You need to estimate how many tokens you would need to keep in the cache for the duration of the expirationPeriod. This value is highly dependent on the traffic on your site. You should of course base this estimate on the peak hours of the site and set the capacity attribute accordingly.

    ReplyDelete
  14. This process is an easy but not for new users because they have not enough knowledge about it and I think, they should watch YouTube videos and get good result. Dissertation writing service.

    ReplyDelete
  15. I was researching opinion about User Learning Experiences and Experience Design views but I don't understand where I should go for researching. Sheet mask material

    ReplyDelete
  16. Pro version of GBWhatsapp is also best prevailed official website best for messaging application.

    ReplyDelete
  17. Beautiful a great post. I fair faltered upon your web journal and needed to say that I have truly delighted in perusing your web journal posts. Monster Truck

    ReplyDelete

  18. Yes i agree with you. I have used this app. Its really very helpful for me. I am very thankful for this. It is such a great design of post, which you have shared. I thumbs up this post. Keep it up!visit this link

    ReplyDelete
  19. This comment has been removed by the author.

    ReplyDelete
  20. Amazing post, I liked the article on this site. I love your way representation.
    Thank you too much and keep.


    Review my webpage - 대구오피
    (jk)

    ReplyDelete
  21. This comment has been removed by the author.

    ReplyDelete
  22. This comment has been removed by the author.

    ReplyDelete
  23. This comment has been removed by the author.

    ReplyDelete
  24. I have read all the comments and suggestions posted by the visitors for this article are very fine,We will wait for your next article so only.Thanks!
    Himalayan Persian Cat

    ReplyDelete
  25. I honestly appreciate the blog you have posted. Really looking forward to this kind of words.

    ReplyDelete
  26. I had a similar system error in the mr cooper app when we were doing real estate and lending. I found their contacts at mr cooper and found out how to solve the problem. Perhaps you should also contact the manufacturer.

    ReplyDelete
  27. All things considered, winning does not mean you will have the capacity to win back the majority of the misfortunes.crossbow

    ReplyDelete
  28. Thanks for the detailed article on this topic. I would like to see more such awesome articles from you.

    ReplyDelete
  29. Thanks for sharing this valuable piece of information. Keep sharing more such awesome articles in the future. Goodbye!

    ReplyDelete
  30. Excellent blog, I loved it so much that I came back here to give feedback. Thanks though.

    ReplyDelete
  31. Thank you so much for sharing this. Would love to see more of these in the future. Keep up the good work! Keep sharing such awesome stuff.

    ReplyDelete
  32. Thanks for this informative blog and for giving us an opportunity to share our views.
    bulk whatsapp sender crack full version
    dolby access bagas31

    ReplyDelete
  33. True that from the history and the back button, we can open the previously opened websites and that's not always proves useful. I like this blog on this important topic.

    ReplyDelete
  34. Hello Dear thanks For Sharing Such A Greate content with Us, Its really an amazing Information so please keep sharing. I also Have something special for you so please check out

    adobe photoshop cs6 crack dll files 32bit 64bit download
    avast anti track premium full
    proshow producer crack
    InPage Download

    ReplyDelete
  35. Thanks for this informative blog and for giving us an opportunity to share our views.
    IDM Crack
    AVS Video Editor Crack
    Syncios Crack

    ReplyDelete
  36. addicted to coke reddit is a hallucinogenic drug. This means that when consumed, it causes the user to have unusual experiences such as hearing sounds, seeing illusions, and feeling things that are not actually there. A drug with an extensive history of both medicinal and recreational use, LSD use does not come without risks. An acid trip can last 12 hours or more, and when it goes wrong it can go terribly wrong. This substance is common at raves, parties, and music festivals, so knowing what acid looks like and understanding the risks is imperative, especially for young adults and teenagers.

    ReplyDelete
  37. Thanks For Allowing us to Share Our Views In This Blog. Share PcsCrack With others.
    utorrent-pro-keygen
    avast-cleanup-premium-keygen
    Dllkeys

    ReplyDelete
  38. I am very impressed with your post, thanks for sharing. Would love to see more stuff like this in future.

    ReplyDelete
  39. It's great to have you here. I really like the colours and theme.
    Is this your website? I'd like to start working on my project as soon as possible.
    If you don't mind, I was curious to know where you got this or what theme you're using.
    Thank you.
    Adobe InDesign Ios Best Mac software site

    ReplyDelete
  40. Hello, Dear Thanks for sharing such great content with the US it’s really amazing content so please keep sharing. I also have something for you so please check out
    Parallel Ios Best Mac software site

    ReplyDelete
  41. that I bookmark your blog and will often come back at some point.
    Also visit my website : 토토

    ReplyDelete
  42. 토토사이트 Completely awesome posting! Bunches of helpful data and motivation, both of which we all need!Relay welcome your work

    ReplyDelete
  43. FMWhatsApp is getting famous because they provide many colorful fantastic themes and much more features like theme changing. I will tell you all about those features in this post.

    ReplyDelete
  44. I was inspired by images on Pinterest of so many book crafts; one that caught my eye that I knew I would be capable of making was an image of a holiday ornament made from pages of a book.

    ReplyDelete
  45. such an amazing article i really like it. Please share more amazing articles like this
    w3toys

    ReplyDelete
  46. Hi There,
    Very nice information, Thank you for sharing with us such nice info.

    ReplyDelete
  47. I felt extremely upbeat while 안전놀이터

    ReplyDelete
  48. am anticipating perusing new articles. Interesting post. I Have Been wondering about this issue, so thanks for posting. Pretty cool post.It 's really very nice and Useful post.Thanks 오션카지노 주소

    ReplyDelete
  49. d this amazing thing, and I’m sure everyone will appreciate this interesting things. Really impressive post. I read it whole and going to share it with my social circules. I enjoyed your article and planning to rewrite it on my own blog. 사설토토

    ReplyDelete
  50. Wow, happy to see this awesome post. I hope this think help any newbie for their awesome work. Thanks a lot for keeping great stuff. I am very much thankful for this site. 메리트카지노

    ReplyDelete
  51. ternet for entertainment only and happened upon your site. Impressive post. Much obliged a ton for sharing your insight! It is extraordinary to see that a few group actually put in an exertion into dealing with their sites. I'll make certain to return again genuine soon. 슈어맨코드거래

    ReplyDelete
  52. It is a good site post without fail. Not too many people would actually, the way you just did. I am impressed that there is so much information about this subject that has been uncovered and you’ve defeated yourself this time, with so much quality. Good Works! Thank you a bunch for sharing this with all of us you actually realize what you are talking about! Bookmarked. Please also seek advice from my site =). We could have a hyperlink change contract between us! You make so many great points here that I read your article a couple of times. Your views are in accordance with my own for the most part. This is great content for your readers. 피보나치시스템

    ReplyDelete

  53. I am very happy to read this article. Thanks for giving us Amazing info. Fantastic post.
    Thanks For Sharing such an informative article, Im taking your feed also, Thanks.eset nod32 license key

    ReplyDelete

  54. Keep doing what you're doing and keep spreading the word. I like your post.
    OmniGraffle Pro

    ReplyDelete
  55. unlimited texting, communication when you use fm whatsapp with best features

    ReplyDelete
  56. Well Said & Your Opinion Was Fabulous!

    ReplyDelete
  57. Thanks i get a lot information from this site

    ReplyDelete
  58. I'm amazed at how seamlessly your backlinks fit into the broader context of your website. lulubox

    ReplyDelete
  59. Great article, thx for this information.

    ReplyDelete
  60. El artículo es muy bueno, te apoyaré más. Puedes ir al canal apk mod para entretenimiento.

    ReplyDelete

Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts