ActiveLogin.Authentication icon indicating copy to clipboard operation
ActiveLogin.Authentication copied to clipboard
verified publisher icon ActiveLogin

Use ITimeLimitedDataProtector when protecting data

Open PeterOrneholm opened this issue 4 years ago • 1 comments

Is your feature request related to a problem? Please describe. We are using the Data Protection functionality in ASP.NET to store temporary state that can safely be round tripped to the client (using cookies or URL). I recently learned about ITimeLimitedDataProtector that adds an extra level of security by making sure that the data protected can't/should not be unprotected after a given point in time.

What area is it related to BankID

Describe the solution you'd like We should use this functionality and limit the time that the data can be unprotected.

These protectors should use it:

  • BankIdLoginOptionsProtector (Suggestion: ~15 minutes, more then enough to perform login on)
  • BankIdLoginResultProtector (Suggestion: 30 seconds, only needed for a client roundtrip)
  • BankIdOrderRefProtector (Suggestion: 15 minutes, more then enough to perform login on)

PeterOrneholm avatar Dec 13 '21 20:12 PeterOrneholm

I've given this some thought. The ITimeLimitedDataProtector does no magic, but simply adds expiration date to the encrypted payload and then verifes that once decrypted.

As we use ISecureDataFormat, which does not support ITimeLimitedDataProtector , we would not be able to use that feature built in but instead it should be quite simple to wrap the encrypted payload ourselves.

PeterOrneholm avatar Dec 15 '21 17:12 PeterOrneholm