Session Fixation - Form Authentication

Question

I am using Form Authentication is ASP.NET. I am running penetrating testing for a school project. I am using LENS -ASP.NET PENETRATING TESTING TOOL. In the results it told me that my application could be vulnerable to session fixation. Does anyone know how this can be mitigated against?

Thanks

Answer 1

A session fixation is an attack in which one person fixates another person's session identifier (SID).

The attack starts with the attacker visiting the website and establishing a valid session, when the application delivers a cookie containing the Session ID, the attacker has fixed, or locked in, a known good session. The attacker will then trick the victim into using this Session ID. At this point the attacker and victim share the same Session ID. Now anytime the information stored in this fixated session is used to either make decisions for the victim or display information only the victim should see, can be potentially used and viewed by the attacker! You can read more here.

The only workaround on this would be for ASP.NET to issue a NEW session ID after any successful authentication, That way once the victim logs in, the attacker will have no access to the session. Another point to remember: NEVER deliver session until the user logs in.

Remember, in ASP.net Session.Abandon() is not sufficient for this task, it does not remove the session ID cookie from the user's browser, so any new request to the same application, after the session is abandoned, will use the same session ID and a new Session State instance! As Microsoft states here. You need to abandon the session and clear session ID cookie:

Session.Abandon();
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));

It's also a good practice to change the Form Authentication cookie name, in your web.config file:

<authentication mode="Forms">
  <forms name=".CookieName" loginUrl="LoginPage.aspx" />
</authentication>

Here's a good article on Session Attacks and ASP.NET and how to resolve it.