Hi, I’ve successfully implemented multi-tenancy which works well. I am using a single instance web-app which correctly resolves the db-connection for general use and Authentication based on the request domain. Suddenly I thought how can I eliminate cross-tenant session-spoofing?
Thinking about this further, I think the below applies to any SS services that share a ICacheClient Redis instance (can be on different web apps).
Scenario:
Person A is permitted to access all resources on tenant1.acme.com, but nothing on tenant2.acme.com
Person A authenticates successfully onto tenant1.acme.com - ss cookies stored on browser and session stored on Redis.
Person A can then go to tenant2.acme.com and (using dev tools or fiddler) replace the cookies with the session cookies retrieved from “tenant1”.
In this scenario any [Authenticate] attribute-protected services will look up the urn:iauthsession session from the ICacheClient, and as there is no knowledge of which tenant generated this session, they are granted access.
- Is my reasoning correct?
- If so, where would be the best place to inject information into the session to indicate which Tenant generated it (can’t see hooks in AuthProvider) and best place to extend authentication / required permission attributes to check that the session was generated by the current Tenant?
G