Keeping SSO Secure
Preventing Cross-Site Request Forgery
Cross-Site Request Forgery (CSRF) is a vulnerability that occurs when an attacker can cause a victim to perform an unintended action on a web resource. In the context of SSO, CSRF vulnerabilities can allow an attacker to force a victim to log in to an app using the attacker’s identity.
For example, an attacker could generate an SSO link for their account and then put it in the source attribute of an image of a web page. They would then force a victim to visit this page, who would unknowingly make a request to clever.com with their existing session, which would log them in with the attackers account to the application in question.
<img src="https://clever.com/oauth/authorize?type=code&client_id=123456">
Depending on the configuration of the application, this may result in a low impact threat ("the victim is logged in to the application as the attacker and may accidentally type in sensitive data") or a high impact threat ("the attacker’s identity is silently added to the victim’s account in the application").
For more information on this threat, see this blog post. For information on protecting your integration against CSRF, see Designing Your Integration.
Shared Devices: Session Re-authentication and Session Invalidation
To protect user data and maintain secure access on shared devices, it is crucial to implement session re-authentication and session invalidation mechanisms. These practices help ensure that user sessions are properly terminated when switching users, preventing unauthorized access to sensitive information. This guide outlines best practices for implementing these features.
1. Session Re-authentication: Ensuring Secure Access Transitions
Session re-authentication requires the user to re-authenticate when necessary, such as after a certain period of inactivity or when switching users on shared devices. Re-authentication ensures that the current user is the rightful owner of the session, preventing unintended access to the data of previously authenticated users.
Key Implementation Steps:
- Prompt Re-authentication on User Switch: Ensure that when a new user attempts to access the application, the existing session is invalidated, and the new user is required to log in. This ensures that only the new user’s session is active on the device.
- Set Short Session Expiration Times: On shared devices, set short session expiration times to minimize the risk of unauthorized access. After a period of inactivity, prompt the user to re-authenticate.
- Multi-Factor Authentication (MFA): For enhanced security, consider implementing MFA during re-authentication. This ensures that even if the device is shared, only authorized users can regain access to the session.
2. Session Invalidation: Terminating Previous Sessions on Shared Devices
Session invalidation is critical for ensuring that only one session is active per user. If a new session is initiated (e.g., via a new login or user switch), the previous session must be terminated to avoid security risks associated with concurrent sessions on shared devices.
Key Implementation Steps:
- Invalidate Old Sessions: Implement logic to invalidate all active sessions when a new authentication occurs. This ensures that no other active session remains after the user logs in from a new instance, device, or browser.
- Clear Session Data Upon Logout: On logout, ensure that all session-related data (such as cookies or local storage) is cleared, preventing session data from being reused inappropriately.
- Immediate Revocation: Use immediate token revocation to ensure that once a session is invalidated, it cannot be used for any further requests.
3. Best Practices for Securing Shared Devices:
- Monitor and Limit Concurrent Sessions: Implement policies that limit the number of concurrent sessions a user can have. If a user logs in on a shared device, any other active sessions should be revoked.
- Graceful Logout: Provide a clear and visible logout option for users on shared devices, encouraging users to end their session when finished.
- Audit and Logging: Log user activities and session invalidation events to detect unusual behavior, such as multiple session creation or failed login attempts.
4. Security Considerations:
- Use Secure Cookies: Store session data in HTTP-only and secure cookies to prevent unauthorized access via cross-site scripting (XSS) attacks.
- Implement HTTPS: Ensure that all sessions and authentication tokens are transmitted over HTTPS to protect against man-in-the-middle attacks.
- Token Expiration and Rotation: Implement short-lived access tokens and automatic token rotation to ensure that session tokens do not persist longer than necessary.
Updated 29 days ago