Home/ Questions/Q 6001141
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T00:47:36+00:00

We are building an ASP.NET MVC3 web application for a client. In this application,

  • 0

We are building an ASP.NET MVC3 web application for a client.

In this application, the client would like the user to log on using his username/password combination. However, if the userName password is correct, a one-time-pin should be sent to the user’s cell phone. The user should only be authenticated once he enters the correct one-time-pin(OTP).

So I am wondering if the following solution is secure:

  1. The user logs on with his userName and password. We use Membership.ValidateUser to verify the userName/password, but we don’t set the Auth Cookie yet.
  2. We store the user’s userName and password in Session.
  3. We store the fact that the user is ‘half’ logged-in in Session.
  4. We redirect back to the Login Page.
  5. The user now gets a chance to enter the OTP and submits to the server a second time.
  6. We validate the username/password/OTP combination.
  7. If valid, we set the Forms Authentication Cookie.

PS: this will all happen on SSL.

The hypothetical LogIn page may look as follows (notice the three states):

<h2>Log On</h2>
<div>
    @if (User.Identity.IsAuthenticated)
    {
        <p class="green bold">
            You are logged-on fully. Your UserName and Password match, and the OTP you have entered was correct.
        </p>
        <form action="/Account/LogOff">
            <input type="submit" value="Log Off" />
        </form>
    }
    else if (ViewBag.AwaitingOTP)
    {
        <p>
            Hi @ViewBag.UserName
        </p>
        <p class="orange">
            Step 2/2: Please enter the OTP sent to your cell phone.
        </p>
        <form method="post" action="/Account/VerifyOTPAndLogOn">
            <input name="otp" type="text" placeholder="One-Time Pin" />
            <input type="submit" />
        </form>
    }
    else
    {
        <p>
            Hi stranger!
        </p>
        <p class="orange">
            Step 1/2: Please enter your username and password.
        </p>
        <form method="post" action="/Account/LogOnHalfwayAndRequestOTP">
            <input name="userName" type="text" placeholder="userName" />
            <input name="password" type="password" placeholder="password" />
            <input type="submit" value="Log On" />
        </form>
    }

</div>

The controller code looks as follows:

public class AccountController : ControllerBase
{

    public bool HalfwayLoggedOnStillAwaitingOTP
    {
        get
        {
            if (Session["AwaitingOTP"] != null)
                return (bool)Session["AwaitingOTP"];

            return false;
        }
        set
        {
            Session["AwaitingOTP"] = value;
        }
    }


    public ActionResult LogOn()
    {
        ViewBag.AwaitingOTP = HalfwayLoggedOnStillAwaitingOTP;
        ViewBag.UserName = Session["UserName"] ?? null;

        return View();
    }


    public ActionResult LogOnHalfwayAndRequestOTP(string userName, string password)
    {
        //Authenticate user, but not fully... (i.e. we're not setting FormsAuthentication.SetAuthCookie yet)
        if (Membership.ValidateUser(userName, password))
            HalfwayLoggedOnStillAwaitingOTP = true;
        else
            HalfwayLoggedOnStillAwaitingOTP = false;

        ViewBag.AwaitingOTP = HalfwayLoggedOnStillAwaitingOTP;
        ViewBag.UserName = Session["UserName"] ?? null;

        //...
        //...Call service that sends OTP to the user's cellPhone.
        //...

        return View("LogOn");
    }


    public ActionResult VerifyOTPAndLogOn(string otp)
    {
        string userName = (string) Session["UserName"];
        string password = (string) Session["Password"];
        if (OTPIsValid(otp, userName, password))
        {
            //Set the Forms Auth cookie...
            FormsAuthentication.SetAuthCookie(userName, false);

            return RedirectToAction("Index", "Home");
        }
        else
        {
            //Display a nice error message here.
            return View();
        }


    }

    private bool OTPIsValid(string otp, string userName, string password)
    {
        //...
        //...Validate OTP here. For now we assume the user entered the correct OTP. 
        //...
        return true;
    }
}

Are there any security holes in this implementation? I’m not sure how secure it is to store the username/password in session, or if it’s safe to trust that the user is really authenticated when the Session[“AwaitingOTP”] value is set.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I will answer my own question with information that I have gathered over the past 24 hours. Hopefully this is correct.

    What worried me about the proposed solution is the short period of time that we rely solely on Session state to store the fact that the user was authenticated. (because only after the OTP is entered do we use proper Forms Authentication).

    The ASP.NET session key is stored in a cookie. It is encrypted, so is relatively secure. But it is still vulnerable to the same threats as standard forms authentication:

    • XSS
    • Man-in-the-middle attacks (SSL will protect against this)
    • Cookie theft

    I would change the proposed solution to not store the user’s password in session (and only store his userName). And I would make sure that SSL is used.

    • 0