Menu
I've got an ASP.NET MVC app running under IIS7. It's using the default in-proc session management, which, according to all that I read, should lose the users' session after an app pool recycle. It doesn't seem to be losing it though. Even an IIS reset doesn't lose the session. Has something changed in IIS7 that keeps the session alive?
672
This is due to cookie replay - what happens is that your browser sends the cookie with old authentication ticket which is accepted as a new session as the Web server does not store valid and expired authentication tickets for later comparison. This makes your site vulnerable to a replay attack if a malicious user obtains a valid forms authentication cookie. To improve security when using a forms authentication cookie see MSDN link below:
http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.signout.aspx
126
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
