8

I'm trying to work a number of security issues on a rather large ASP.NET web application (C#). To prevent session fixation attacks I'd like to generate a new session id every time a user authenticates himself. However I want to only generate a new session id without losing the rest of the session. After doing some research on this topic I found a couple of working solutions:

Solution 1: Generating new SessionId in ASP.NET
 This suggests clearing the session cookie manually by setting it to an empty string. However this requires either a page refresh or using AJAX to ensure that the cookie will indeed be removed, which isn't really a viable option in my specific case.

Solution 2: Generating a new ASP.NET session in the current HTTPContext
 I have implemented this approach and it works as expected. However as the original poster states, this is not really what you might call an elegant solution. Also, this post is a few years old which has me hoping that there might be a better solution out there nowadays.

What I would like to know is if there are any alternatives to do this that I have missed in my research or if something like Solution 2 is possible without manipulating session management internals.

Community
  • 1
  • 1
Georg Z.
  • 81
  • 1
  • 1
  • 8
  • 1
    i have the same issue with you and AFAIK, solution2 was essentially the same to solution1, both are trying to regenerating a new sessionid for current httpcontext. finally i found this link: http://stackoverflow.com/questions/5502435/regenerate-sessionid-in-asp-net, and did it with success. it`s a far more simpler way to approach this. – pinopino Jul 25 '13 at 07:28
  • Finally, is there any way can solve your problem? Or did you solve yourself? Please share your solution so that everybody can get more knowledge. XD – NoName Sep 30 '16 at 04:57

2 Answers2

4

It's not that easy to achieve what you want due to how session management works by design in ASP.NET, re solution number 2. The solution (2) seems a bit risky considering ASP.NET session state implementation details change at some point.

I'd recommend a variant of solution 1, where you store the relevant data from the session to db/cache when the user authenticates, get a new session for the user and then populate that with the data you need. Since data is moving from an "unathenticated" session to an "authenticated" session you should also take care to validate that data.

Clearing the session cookie manually can be a slippery slope, re Ramping up ASP.NET session security. You'll find a more robust solution in the NWebsec.SessionSecurity's authenticated session identifiers (Disclaimer: I'm the developer on that project).

klings
  • 963
  • 6
  • 12
0

Web.Config changes sessionState cookieName="ABC"

In Login.aspx page in block !ispostback write

Response.Cookies.Add(new HttpCookie("ABC", ""));

Enjoy

-Saving time is good!

Manjit Chavan
  • 11
  • 1
  • could you elaborate on this approach? What makes this work? – Kristopher Jun 23 '16 at 14:59
  • Ideally, It creates a new sessionid with given name soon after you login, you can check in resource tab cookies in chrome developer tools. Thus making it difficult for hacker to resuse the same sesion. – Manjit Chavan Sep 15 '16 at 09:05