Session Fixation in ASP.NET

by

Have been doing more digging on this. The best way to prevent session fixation attacks in any web application is to issue a new session identifier when a user logs in.

In ASP.NET Session.Abandon() is not sufficient for this task. Microsoft state in http://support.microsoft.com/kb/899918 that: “”When you abandon a session, the session ID cookie is not removed from the browser of the user. Therefore, as soon as the session has been abandoned, any new requests to the same application will use the same session ID but will have a new session state instance.””

A bug fix has been requested for this at https://connect.microsoft.com/feedback/viewfeedback.aspx?FeedbackID=143361&wa=wsignin1.0&siteid=210#details

There is a workaround to ensure new session ids’ are generated detailed at http://support.microsoft.com/kb/899918 this involves calling Session.Abandon and then clearing the session id cookie.

Would be better if ASP.NET didn’t rely on developers to do this.

More Related Contents:

  1. Replacing ASP.Net’s session entirely
  2. What should I do if the current ASP.NET session is null?
  3. What are all the user accounts for IIS/ASP.NET and how do they differ?
  4. Forms authentication timeout vs sessionState timeout
  5. Losing Session State
  6. What is the App_Data folder used for in Visual Studio?
  7. Close/kill the session when the browser or tab is closed
  8. How serious is this new ASP.NET security vulnerability and how can I workaround it?
  9. Asp.net Identity password hashing
  10. How can I share a session across multiple subdomains in ASP.NET?
  11. ASP.NET session state provider in Azure [closed]
  12. How to restrict folder access in asp.net
  13. Passing session data between ASP.NET Applications
  14. In ASP.NET, when should I use Session.Clear() rather than Session.Abandon()?
  15. How to Customize ASP.NET Web API AuthorizeAttribute for Unusual Requirements
  16. ASP.NET Stress Testing
  17. ASP.net session request queuing
  18. ASP.NET MVC – Session is null
  19. asp.net cookies, authentication and session timeouts
  20. Cannot use a leading ../ to exit above the top directory
  21. How to limit page access only to localhost?
  22. Form Authentication – Cookie replay attack – protection
  23. Asp.Net Session is null in ashx file
  24. Is there a way to keep a page from rendering once a person has logged out but hit the “back” button?
  25. ASP.NET Why are sessions timing out, sessionstate timeout set
  26. Why do ASP.NET JSON web services return the result in ‘d’?
  27. Cache VS Session VS cookies?
  28. IIS Session Timeout vs ASP.NET Session Timeout
  29. How is HttpOnly get set for ASP.NET_SessionId cookie?
  30. Session_End does not fire?

Leave a Comment