ASP.NET Session Fixation

If you are supporting or maintaining ASP.NET legacy applications then you might have heard about the session fixation issue. Any one with a little technical background can easily exploit the issue if it is not handled properly. First let us understand what is session fixation.

What is session fixation issue:

1. All the users will receive the ASP.NET_SessionId cookie once they load their ASP.NET application in their browser
2. This cookie will used by ASP.NET to identify the users and to load the session variables
3. The issue if  when we are providing login/logout functionality in our website this ASP.NET_SessionId value might be misused. If someone note down the session value before the user logs in then they can get complete access to the site by passing the copied ASP.NET_SessionId cookie
4. The cookie value remains same even after abandoning the session once the user logs out. So the chances of exploitation is high

Workaround for this issue:

When user signs out

Change the  ASP.NET_SessionId value when user logs out by implementing the following lines of code while user signout
       Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));

When user logs in

Similarly you can create a new cookie value when the user logs in as well but this will trigger the Session_Start event. So another alternative will be creating an own authentication cookie and verifying the cookie value in master page.

protected void Login(object sender, EventArgs e)

{

     // createa a new GUID and save into the session

        string guid = Guid.NewGuid().ToString();

        Session["Auth"] = guid;

        // now create a new cookie with this guid value

        Response.Cookies.Add(new HttpCookie("Auth", guid))

}

and is master page page_load

protected void Page_Load(object sender, EventArgs e)

{

  if (!Session["AuthToken"].ToString().Equals(

                   Request.Cookies["AuthToken"].Value))

        {

            Response.Redirect("Login.aspx");

        }

}