.NET Questions (CLOSED)

Questions and Answers on any aspect of .NET. Now closed.

This discussion group is now closed.

Have a question about .NET development? Try stackoverflow.com, a worldwide community of great developers asking and answering questions 24 hours a day.

The archives of .NET Questions contain years of Q&A. Even older .NET Questions are still online, too.

Session Fixation in ASP.Net

What are people doing about session fixation attacks in ASP.Net? (http://www.webappsec.org/projects/threat/classes/session_fixation.shtml)

Most web-based exploits (like XSS) are pretty easy to avoid.  It's all about not trusting user data.  But what do you do when your framework trusts user data without asking you? Microsoft has closed a request for a fix (https://connect.microsoft.com/feedback/viewfeedback.aspx?FeedbackID=143361&wa=wsignin1.0&siteid=210) and instead they offer a simple 55-line code snippet that you can include in every ASP application you create (http://support.microsoft.com/kb/899918).  All 55 lines could be replaced by a call to (the hypothetical) Session.CreateNewIdentifier() function.

Are your web apps vulnerable?  If not, what are you doing to prevent this?

(Apologies if this sounds like FUD...  I'm really just looking for some solutions.)
bmm6o Send private email
Monday, April 23, 2007
I use a guid stored in a cookie to identify the client (I don't rely on session cookies/variables).  New logins generate a new guid (they are not reused), and I valid session guids against a timeout value in the database.

This is in addition to using SSL, so outside of a compromised client (or server/database), I don't see how this is a threat.
Tuesday, April 24, 2007
Are there any known cases of this kind of attack actually being pulled off or are we just in theory land here?
Tuesday, April 24, 2007
+1 for Jim. I use this approach too, as well as another Guid for each page served, to prevent replay, i.e. ensure idempotent updates, etc.
Entries of Confusion Send private email
Tuesday, April 24, 2007
Err: It's probably not possible to say if it's been done in the wild.  It's been done as proof-of-concept, and there's no good reason to think that it wouldn't work in practice.
bmm6o Send private email
Tuesday, April 24, 2007
I might be being dumb here, but if you use ASP.NET Forms Auth , then you're not affected by this, right?

My reasoning is that its your auth cookie which would need to be hijacked, not your session one (and you can only get one of those with valid use credentials). Or am I missing somthing?
adamC Send private email
Monday, April 30, 2007

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
Powered by FogBugz