.NET Diary

If you are supporting or maintaining ASP.NET legacy applications then you might have heard about the session fixation issue. Any one with a little technical background can easily exploit the issue if it is not handled properly. First let us understand what is session fixation. What is session fixation issue: All the users will receive the ASP.NET_SessionId cookie once they load their ASP.NET application in their browser This cookie will used by ASP.NET to identify the users and to load the session variables The issue if  when we are providing login/logout functionality in our website this ASP.NET_SessionId value might be misused. If someone note down the session value before the user logs in then they can get complete access to the site by passing the copied ASP.NET_SessionId cookie The cookie value remains same even after abandoning the session once the user logs out. So the chances of exploitation is high Workaround for this issue: When user signs out Change the  ASP.NE...