Securing ASP.NET MVC application

Our web & .NET developer Mykola Pidopryhora has invented his own way of securing ASP.NET MVC apps and presented it as a guide with code pieces and instructions

March 3, 2019
Mykola Pidopryhora

Hi, my name is Mykola Pidopryhora and I’m a Web and .Net software engineer at EGO. Recently I worked on the project in which I faced a specific task – securing ASP.NET MVC application. To solve this task I searched for answers in the Internet, but as it turned out there was no complete solution for this problem. So, I decided to invent my own.
Today I would like to share this ready-to-use solution with you, so you can save some time for a cup of tea with a cookie. Just take it and use.

Let’s get down

Sometimes we need to implement specific security rules, like user auto-logout, whenever a session is time-out or user closed his browser. There are several approaches to implementation of such behavior and very few information about how it can be done.

I’d like to introduce you one of the approaches that allows you to use your set of actions on user’s browser close event. It may seem tricky and so it is. Anyway, in this particular case, it was the most fitting solution. I tried to make the article in a guide style to keep it simple. Here is an example of how to implement a user auto log out in ASP MVC.

It includes handling the following scenarios:

The example was built from https://dotnet.microsoft.com/apps/aspnet 4.6.1 MVC with Individual User Accounts. Here the key points of the idea are described, you can find the source code on GitHub.

Use session timeout to kick out user

Setting session timeout in web.config

<p>CODE: </p>https://gist.github.com/MykolaPod/f6dc95f295e487cb030b1ab147cda300.js<p></p>

In order a user to be logged out after a session expiration he should make a request.

Let’s add a bundle and some scripts for that

<p>CODE: </p>https://gist.github.com/MykolaPod/53e32f1ada826fb3ed21ba5156f32e91.js<p></p>

<p>CODE: </p>https://gist.github.com/MykolaPod/6ce74c267447b757c9b05fe8cbca399b.js<p></p>

Following script will do one simple thing: starts a timer with timeout equals to session timeout. When the time is out it will submit a logout form with a session expired flag.

<p>CODE: </p>https://gist.github.com/MykolaPod/8e3128b30944674a60f0b44eea2016c7.js<p></p>

Let’s add a helper function that will allow us to pass the value from server to client script.

<p>CODE: </p>https://gist.github.com/MykolaPod/860407dd581cb13e9d72a3e5912cbcec.js<p></p>

Use separate layout for authorized and unauthorized site resources:

<p>CODE: </p>https://gist.github.com/MykolaPod/01141c9bebd32901a300014352f0e084.js<p></p>

And use added function and bundles for authorized layout:

<p>CODE: </p>https://gist.github.com/MykolaPod/c96b0bc1b0849fdcab481da81930ac3c.js<p></p>

This way we get a user kicked out when session is expired. The server side will be also notifiedwhether user pressed logout manually or has been kicked out automatically.

Implementation of user kick out on browser/tab close for non-load balancer system

The following approach may be used for systems without a load balancer, which are using one place for sessions. In order to implement such application behavior, I will use WebBackgrounder library, which you can find here.

Approach general overview: keep every user’s session in a collection and clear the sessions during which user`s browser didn’t send a ping request in time (when browser was closed).

Let’s start from adding a job that will keep and handle sessions:

<p>CODE: </p>https://gist.github.com/MykolaPod/ac2091444461aed27191e23ecd064776.js<p></p>

<p>CODE: https://gist.github.com/MykolaPod/c46bac24440adaf3020b20ed835b258f.js</p>

<p>CODE: https://gist.github.com/MykolaPod/b9dcd3ba7992308b7d997125ea66c3cb.js</p>

In order to keep a single sessionId per request let’s add Session_Start callback as well:

<p>CODE: https://gist.github.com/MykolaPod/0a42c89c5c5d1681bd9e9bacc95cb382.js</p>

Let’s add Ping action and OnAuthorization filter into BaseController:

<p>CODE: https://gist.github.com/MykolaPod/1c3af985eb8decb66d9fe599ebf59161.js</p>

Also we need to clear session on user logout manually and inherit controllers from BaseController:

<p>CODE: https://gist.github.com/MykolaPod/e00c27a05d2de9ca8aaacb72aa68f71e.js</p>

And finally let’s add a script that will send a ping request to address, which we have passed into it:

<p>CODE: https://gist.github.com/MykolaPod/5bb98e4530614fed993f79e09ed71e3f.js</p>

<p>CODE: https://gist.github.com/MykolaPod/84536848a157dd0962eba447762515cf.js</p>

Let’s make some modification in actions:

<p>CODE: https://gist.github.com/MykolaPod/bebd0ee35043ecd8f566787dd23e2dff.js</p>

Now we need to add some request filtering and disable browser cache:

<p>CODE: https://gist.github.com/MykolaPod/f09fda802be1999524d5ee8ef8537bd7.js</p>

<p>CODE: https://gist.github.com/MykolaPod/ae7a587ad15f2a8cc000f67c1892d468.js</p>

Well, that’s should be enough.

You can play with timings of ResetPingStatusJob, session timeout and pingActionInterval to get a user logged out after the time period you want. With current timings user will be logged out approximately after 30 seconds since browser / tab has been closed.

But I’d like to add one more thing…

Let`s make a user logged out on navigating to login page

<p>CODE: https://gist.github.com/MykolaPod/b08616a93f7a498a8b1cc8cc270b0171.js</p>

<p>CODE: https://gist.github.com/MykolaPod/bd46c0887da1dc93c25aa8df1bbab9ff.js</p>

And update login layout with using bundles:

<p>CODE: https://gist.github.com/MykolaPod/e57af46186502445ab79721da22cd9f2.js</p>

<p>CODE: https://gist.github.com/MykolaPod/70001f023944837587c927604915a864.js</p>

Using application with load balancer

If you are going to use load-balancer, you need to implement custom session storage provider or use default session storage with sql job that will clear session with task like this:

<p>CODE: https://gist.github.com/MykolaPod/daaac675b903772b81721dbc9cb843ce.js</p>

In this case you don’t need the implementation of PingJob, which described above, but you’ll still need a ping action and session-ping.js.

Here is an example of such MS SQL job :

<p>CODE: https://gist.github.com/MykolaPod/575b6bf7c215ea028c794c0887cf6866.js</p>

I hope this will help you. Good luck!


More Articles

Back to blog