Menu
We have had a security test against our site, and a vulnerability has been identified.
Issue
If the session identifier were known by an attacker who had access to the user's workstation, the logged out session could be accessed using the session cookie after the user had terminated their session.
Recommendation
Ensure that session identifiers are correctly terminated on the server side when the logout function is invoked.
Code
The code currently does this (if a user clicks the "logout button")
FormsAuthentication.SignOut();
Roles.DeleteCookie();
Session.Clear();
I'm not sure how to check "ensure that session identifiers are correctly terminated on the server side when the logout function is invoked."
I've done some research and think I should I be doing this instead?
Session.Abandon();
If not, what should I be doing? (I'm not entirely sure how to test this...)
975
In ASP.net Session.Abandon() is not sufficient for this task, it does not remove the session ID cookie from the user's browser, so any new request to the same application, after the session is abandoned, will use the same session ID and a new Session State instance! As Microsoft states here. You need to abandon the session and clear session ID cookie:
Session.Abandon();
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
It's also a good practice to change the Form Authentication cookie name, in your web.config file:
<authentication mode="Forms">
<forms name=".CookieName" loginUrl="LoginPage.aspx" />
</authentication>
Here's a good article on Session Attacks and ASP.NET and how to resolve it.
82
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
