Home Are Session Fixation Attacks in MVC 5 still an issue
Reply: 1

Are Session Fixation Attacks in MVC 5 still an issue

I.Am.Me
1#
I.Am.Me Published in 2016-01-28 20:40:04Z

I've been reading a lot about session fixation attacks and the most popular solutions I've come across are changing the SessionID when user logs in and creating an additional cookie using a GUID to verify the user "belongs" to the SessionID.

My question is this: Isn't it enough to just delete the SessionID cookie (ASP.NET_SessionID) to ensure a new SessionID is generated? In MVC 5, when the user logs in an additional encrypted user claims cookies is created (AspNet.ApplicationCookie) which Identity uses to authenticate the user upon each request. The additional "GUID cookie" seems unnecessary.

I’m originally a .NET desktop application developer writing my first MVC app and the learning curve has been a bit steep… although refreshingly enjoyable.

Thanks for any help.

Rabel Obispo
2#
Rabel Obispo Reply to 2017-12-29 18:14:58Z

You can do this to avoid that situation:

SessionIDManager Manager = new SessionIDManager();

string NewID = Manager.CreateSessionID(Context);
string OldID = Context.Session.SessionID;
bool redirected = false;
bool IsAdded = false;
Manager.SaveSessionID(Context, NewID, out redirected, out IsAdded);
Response.Write("Old SessionId Is : " + OldID);

if (IsAdded)
{
     Response.Write("<br/> New Session ID Is : " + NewID);
}
else
{
     Response.Write("<br/> Session Id did not saved : ");
}

Support link: Link

You need to login account before you can post.

About| Privacy statement| Terms of Service| Advertising| Contact us| Help| Sitemap|
Processed in 0.328005 second(s) , Gzip On .

© 2016 Powered by mzan.com design MATCHINFO