Auth Cookie replay attack Mitigation
I am reviewing an issue flagged by compliance team related to broken logout functionality in ASP based application... The application in question uses Forms Authentication (ASP.NET) for logon. After successful logon ".ASPXAUTH" cookie gets send to the client which is being send back to the site on each conservative GET and POST. Once user clicks "logoff" button the session cookie gets wiped on the client side. However, when re-playing HTTP POST or GET (containing .ASPXAUTH cookie captured with Fiddler) I am able to get valid page in response. Issue with ASP.NET cookie replay attack described here and in this MS KB article. Unfortunately, we don't have ASM in our disposal. Is there a way to mitigate the issue with an iRule?
