How to mitigate replay attacks for ASP.Net application?

We use Oauth2 authentication with Okta for our Classic ASP.Net MVC website. After the user logs out of the application, he can “replay” an old request with all of the original cookies and still get access to the website. How can I prevent this security hole?

I have successfully developed a custom ITicketStore for my ASP.Net Core websites to solve this problem (similar to Matteo's Blog - Implementing a custom ITicketStore for ASP.NET Core Identity), but I cannot find a similar concept to ITicketStore for Classic ASP.Net applications.

It turns out that there is an equivalent to ITicketStore in Owin, which is called IAuthenticationSessionStore. You can find an example at: OWIN Form Authentication and Session store | I LOVE PROGRAMMING

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.