How to Secure an ASP.NET MVC Application

Our .NET and web development company expert Mykola Pidopryhora has invented his own way of securing ASP.NET MVC apps and presented it as a guide with code pieces and instructions.

September 14, 2021
Mykola Pidopryhora

Hi, my name is Mykola Pidopryhora and I’m a Web and .Net software engineer at EGO. Recently I worked on a project where I was responsible for securing an ASP.NET MVC application. To solve this task I searched for answers on the Internet, but as it turned out there was no complete solution for this problem. So, I decided to invent my own.

In this post, I would like to share this ready-to-use solution with you, so you can save some time for a cup of tea with a cookie.

Let’s start

As a web development firm, sometimes we need to implement specific security rules, like user auto-logout, whenever a session is timed out or the user closed his browser. There are several approaches to implement such behavior and very little information about how it can be done.

I’d like to introduce you to one of the approaches that allow you to use your set of actions on a user’s browser close event. It may seem tricky and so it is. Anyway, in this particular case, it was the most fitting solution.

I tried to make the article in a guide style to keep it simple. Here is an example of how to implement a user auto log out in ASP MVC.

It includes handling the following scenarios:

The example was built via https://dotnet.microsoft.com/apps/aspnet 4.6.1 MVC with Individual User Accounts. Here the key points of the idea are described.you can find the full source code on GitHub.

Use Session Timeout to Kick the User Out

Setting session timeout in web.config

<p>CODE: </p>https://gist.github.com/MykolaPod/f6dc95f295e487cb030b1ab147cda300.js<p></p>

In order for a user to be logged out after a session has expired, they should make a request.

Let’s add a bundle and some scripts for that

<p>CODE: </p>https://gist.github.com/MykolaPod/53e32f1ada826fb3ed21ba5156f32e91.js<p></p>

<p>CODE: </p>https://gist.github.com/MykolaPod/6ce74c267447b757c9b05fe8cbca399b.js<p></p>

The following script will do one simple thing: it’ll start a timer with a timeout equal to the session timeout. When the time is out it will submit a logout form with the ‘session expired’ flag.

<p>CODE: </p>https://gist.github.com/MykolaPod/8e3128b30944674a60f0b44eea2016c7.js<p></p>

Let’s add a helper function that will allow us to pass the value from the server to the client script.

<p>CODE: </p>https://gist.github.com/MykolaPod/860407dd581cb13e9d72a3e5912cbcec.js<p></p>

In our web application development company, we prefer to use use separate layouts for authorized and unauthorized site resources:

<p>CODE: </p>https://gist.github.com/MykolaPod/01141c9bebd32901a300014352f0e084.js<p></p>

And here we use an extra function and bundles for the authorized layout:

<p>CODE: </p>https://gist.github.com/MykolaPod/c96b0bc1b0849fdcab481da81930ac3c.js<p></p>

This way we get a user kicked out when the session is expired. The server side will be also notified whether the user pressed the Log out button manually or has been kicked out automatically.

devops ninja animation
devops ninja animation
devops ninja animation
devops ninja animation

Implementation of User Kickout on Browser/Tab Closure for Non-Load Balancer System

The following approach may be used for systems that have no load balancer and use one place for sessions. In order to implement such application behavior, I will use the WebBackgrounder library, which you can find here.

Approach general overview: keep every user’s session in a collection and clear the sessions during which the user’s browser didn’t send the Ping request in time (when the browser was closed).

Let’s start from adding a job that will keep and handle sessions:

<p>CODE: </p>https://gist.github.com/MykolaPod/ac2091444461aed27191e23ecd064776.js<p></p>

<p>CODE: </p>https://gist.github.com/MykolaPod/c46bac24440adaf3020b20ed835b258f.js<p></p>

<p>CODE: </p>https://gist.github.com/MykolaPod/b9dcd3ba7992308b7d997125ea66c3cb.js<p></p>

In order to keep a single sessionId per request let’s add Session_Start callback as well:

<p>CODE: </p>https://gist.github.com/MykolaPod/0a42c89c5c5d1681bd9e9bacc95cb382.js<p></p>

Let’s add the Ping action and the OnAuthorization filter into BaseController:

<p>CODE: </p>https://gist.github.com/MykolaPod/1c3af985eb8decb66d9fe599ebf59161.js<p></p>

We also need to clear the session on user logout manually and inherit controllers from BaseController:

<p>CODE: </p>https://gist.github.com/MykolaPod/e00c27a05d2de9ca8aaacb72aa68f71e.js<p></p>

And finally let’s add a script that will send a ping request to the address that we have passed into it earlier:

<p>CODE: </p>https://gist.github.com/MykolaPod/5bb98e4530614fed993f79e09ed71e3f.js<p></p>

<p>CODE: </p>https://gist.github.com/MykolaPod/84536848a157dd0962eba447762515cf.js<p></p>

Let’s make some modification in actions:

<p>CODE: </p>https://gist.github.com/MykolaPod/bebd0ee35043ecd8f566787dd23e2dff.js<p></p>

Now we need to add request filtering and disable browser cache:

<p>CODE: </p>https://gist.github.com/MykolaPod/f09fda802be1999524d5ee8ef8537bd7.js<p></p>

<p>CODE: </p>https://gist.github.com/MykolaPod/ae7a587ad15f2a8cc000f67c1892d468.js<p></p>

Well, that should be enough.

You can play with timings of ResetPingStatusJob, session timeout, and pingActionInterval to get the user logged out after the time period you want. With current timings, the user will be logged out approximately after 30 seconds since browser/tab has been closed. This was the requirement for the project our custom web development company was working on.

But I’d like to add one more thing…

Let's Make a User Log Out When Navigating to Login Page

<p>CODE: </p>https://gist.github.com/MykolaPod/b08616a93f7a498a8b1cc8cc270b0171.js<p></p>

<p>CODE: </p>https://gist.github.com/MykolaPod/bd46c0887da1dc93c25aa8df1bbab9ff.js<p></p>

And update login layout with using bundles:

<p>CODE: </p>https://gist.github.com/MykolaPod/e57af46186502445ab79721da22cd9f2.js<p></p>

<p>CODE: </p>https://gist.github.com/MykolaPod/70001f023944837587c927604915a864.js<p></p>

Using Application With Load Balancer

If you are going to use load balancer, you need to implement custom session storage provider or use the default session storage with an SQL job that will clear session with a task like this:

<p>CODE: </p>https://gist.github.com/MykolaPod/daaac675b903772b81721dbc9cb843ce.js<p></p>

In this case, you don’t need to implement PingJob, which described above, but you’ll still need a ping action and session-ping.js.

Here is an example of such an MS SQL job:

<p>CODE: </p>https://gist.github.com/MykolaPod/575b6bf7c215ea028c794c0887cf6866.js<p></p>

One More Thing

As an outsource web development company, we know how hard it is sometimes to select a tech partner for your web project. You go through blogs of dozens of firms to figure out if they possess the necessary expertise and have experience in building your kind of projects. Then you consider lots of factors and even in the very end you’re worried if your choice was right.

To address this pain, we’ve come out with Product Plans, an easy way to get the most value within a limited budget and time. Each of our plans is carefully crafted and calculated to help you advance with your project and at the same time see us in action. And then, you can either continue working with us or take the feasible outcome of our work and put it to work with another partner (though that never happened yet).

And if you have any additional questions, feel free to contact us.


More Articles

Back to blog