问题
A hybrid webforms/mvc asp.net application using .Net Framework 4.7 has been tagged with the "Session Fixation" vulnerability in a Veracode dynamic scan. What this means is that Veracode gets the login page, alters the SessionId cookie (ASP.NET_SessionId), and then posts with a valid userid and password to do the login. ASP.Net logs in the user, but takes this altered SessionId cookie and continues to use it; that behavior of using that injected SessionId value is the flaw.
In other words, when Veracode gets the page the SessionId cookie might be "abc123". Veracode changes that cookie to "def456" and posts back. ASP.Net logs in the user and uses "def456" as the SessionId henceforth.
Per Veracode I must invalidate the ASP.Net_SessionID cookie created prior to a successful login. This is easy to do of course, I can simply reset the ASP.NET_SessionId cookie when the user successfully logs in. The problem is, this causes the user to be redirected right back to the login page. So what happens is this:
- User submits the login page.
- Server-side, if the login is successful, I reset the ASP.NET_SessionId to some new value (by calling SessionIDManager.SaveSessionID(), which in turn simply resets the ASP.Net_SessionID cookie).
- The user is redirected to the application home page, and then immediately redirected back to the login page
The application uses forms authentication, with a webforms login page. The login page uses the asp.net Login control. In the "OnAuthenticate" event of this control I have code like this:
protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
{
bool b = Membership.Validateuser(Login1.UserName, Login1.Password);
if(b)
{
e.Authenticated = true;
SessionIDManager mgr = new SessionIDManager();
string newId = mgr.CreateSessionID(Context);
mgr.SaveSessionID(Context, newId, out bool redirected, out bool cookieAdded);
}
}
This runs without error. ASP.net redirects the user to the application home page. But then asp.net immediately redirects the user from the application home page back to the login page.
Is there any way to alter that SessionId cookie so that
- Veracode's injected SessionId cookie value is abandoned.
- The user stays authenticated and is not simply redirected back to the login page.
I've attempted running the code that alters the SessionId in various page events (PreInit, Load, etc) and all of them have the same result--the user is redirected back to the login page.
Please do not mark this question as already answered. There are several answers to this question on SO, all of which advise re-setting the SessionId cookie as I do above, and all of which have comments pointing out that this does not actually work.
回答1:
After considerable back-and-forth the final reply from a Veracode consultant was the following, basically saying "don't worry about it." This is the reply from Veracode:
I also looked further into the dynamic findings from your application. The session ID that we are finding session fixation on, is not the ID you are using for authentication, and so the risk for your application is low. An attacker would not be able to gain access to an authenticated session of a user by controlling just the ASP.NET_SessionId cookie. By protecting the .ssoIIMAuth cookie your application is already preventing this sort of attack.
来源:https://stackoverflow.com/questions/51620688/fix-session-fixation-flaw-in-asp-net