Protect api from replay attacks
Im working on a api. The api will be used by an iphone application.
The api requires login. We protect it with asp.net forms authentication. The client gets a cookie to resend on upcoming requests.
We are using htt开发者_开发问答ps but i guess the request can still be replayed. How can i protect so the cookie can only be used by the client that first logged in?
I was thinking about renewing the cookie at each request. But the app Will sometimes send several requests asynchron. So that wont work.
/Patrik
Probably you don't care if any action can be replayed, e.g. the async requests that probably get some non-vital information.
Still you can require the app to essentially re-login before every important action which has financial or security consequences.
I hope you never exchange the authentication secrets (passwords) via the net. Instead, you send the app a challenge string, the app encodes it using the password and sends back. The server does the same and compares the results. This operation is easy to repeat before any important action, and even as a part of an important action: the reply is sent encoded by the secret. Unless the eavesdropper knows the secret, he's out of luck replaying an action, because the challenge sent by server will be different.
No, I have no idea if this scheme fits well into asp.net authentication mechanisms.
You might try having the client send an encrypted or hash protected sequence number and time-stamp with every transaction, and check for duplicates on the server end.
Aside from using a SSL connection for your application to make sure nobody steals the cookie to begin with, there is no fool-proof way to prevent replay attacks that utilize a stolen authentication cookie.
Your best bet is to set the cookie expiration to something pretty low and require the users re-enter their credentials after that timeout. Ideally, this would be a sliding window, but you could make it an absolute one if you don't mind really ticking off your users.
精彩评论