发表新帖
发表新帖

Session Fixation in ASP.NET

前端 未结
关注
4 1367
没有蜡笔的小新
没有蜡笔的小新 2020-11-28 10:27

I\'m wondering how to prevent Session fixation attacks in ASP.NET (see http://en.wikipedia.org/wiki/Session_fixation)

My approach would to this would normally be to

相关标签:
4条回答
  • 生来不讨喜
    2020-11-28 11:14

    If I am assuming right, you are talking about... http://en.wikipedia.org/wiki/Session_fixation. The short answer is yes, you have a lot of ways in which you can secure your cookie as well. You shouldn't be using cookieless session, and while you are using sessions, ensure that you have secured the cookie as well explicitly.

    Check this article out... http://blogs.msdn.com/rahulso/archive/2007/06/19/cookies-case-study-with-ssl-and-frames-classic-asp.aspx

    0 讨论(0)
  • 一整个雨季
    2020-11-28 11:15

    Basically just do this in your Login GET method and your Logout method:

    Session.Clear();
Session.Abandon();
Session.RemoveAll();
if (Request.Cookies["ASP.NET_SessionId"] != null)
{
   Response.Cookies["ASP.NET_SessionId"].Value = string.Empty;
   Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddMonths(-20);
}
    0 讨论(0)
  • 伪装坚强ぢ
    2020-11-28 11:20

    It does generate a new session ID when the user logs in, and kills a session when the timeout occurs, or the user navigates away/close the browser. And you can programmably kill it via Abandon() or remove entries via Remove().

    So I'm not sure what the issue is?

    0 讨论(0)
  • 说谎
    2020-11-28 11:26

    Have been doing more digging on this. The best way to prevent session fixation attacks in any web application is to issue a new session identifier when a user logs in.

    In ASP.NET Session.Abandon() is not sufficient for this task. Microsoft state in http://support.microsoft.com/kb/899918 that: ""When you abandon a session, the session ID cookie is not removed from the browser of the user. Therefore, as soon as the session has been abandoned, any new requests to the same application will use the same session ID but will have a new session state instance.""

    A bug fix has been requested for this at https://connect.microsoft.com/feedback/viewfeedback.aspx?FeedbackID=143361&wa=wsignin1.0&siteid=210#details

    There is a workaround to ensure new session ids' are generated detailed at http://support.microsoft.com/kb/899918 this involves calling Session.Abandon and then clearing the session id cookie.

    Would be better if ASP.NET didn't rely on developers to do this.

    0 讨论(0)
 看不清?
提交回复
热议问题