RSS Feed

.NET Questions (CLOSED)

What are people doing about session fixation attacks in ASP.Net? (http://www.webappsec.org/projects/threat/classes/session_fixation.shtml)

Most web-based exploits (like XSS) are pretty easy to avoid.  It's all about not trusting user data.  But what do you do when your framework trusts user data without asking you? Microsoft has closed a request for a fix (https://connect.microsoft.com/feedback/viewfeedback.aspx?FeedbackID=143361&wa=wsignin1.0&siteid=210) and instead they offer a simple 55-line code snippet that you can include in every ASP application you create (http://support.microsoft.com/kb/899918).  All 55 lines could be replaced by a call to (the hypothetical) Session.CreateNewIdentifier() function.

Are your web apps vulnerable?  If not, what are you doing to prevent this?

(Apologies if this sounds like FUD...  I'm really just looking for some solutions.)

I use a guid stored in a cookie to identify the client (I don't rely on session cookies/variables).  New logins generate a new guid (they are not reused), and I valid session guids against a timeout value in the database.

This is in addition to using SSL, so outside of a compromised client (or server/database), I don't see how this is a threat.

Are there any known cases of this kind of attack actually being pulled off or are we just in theory land here?

+1 for Jim. I use this approach too, as well as another Guid for each page served, to prevent replay, i.e. ensure idempotent updates, etc.

Err: It's probably not possible to say if it's been done in the wild.  It's been done as proof-of-concept, and there's no good reason to think that it wouldn't work in practice.

I might be being dumb here, but if you use ASP.NET Forms Auth , then you're not affected by this, right?

My reasoning is that its your auth cookie which would need to be hijacked, not your session one (and you can only get one of those with valid use credentials). Or am I missing somthing?