A session commit is an attack in which one person captures another person's session identifier (SID).
The attack begins with an attacker visiting a website and establishing a valid session, when the application delivers a cookie containing a session identifier, the attacker fixed or blocked a known good session. The attacker then tricks the victim using this session identifier. At the moment, the attacker and the victim have the same session identifier. Now, at any time, the information stored in this fixed session is used either to make decisions for the victim, or to display information that only the victim sees, it can potentially be used and viewed by an attacker! You can read further here .
The only workaround for this would be for ASP.NET to issue a NEW session id after any successful authentication . Thus, as soon as the victim logs in, the attacker will not have access to the session. Another point to keep in mind: NEVER deliver a session before a user logs in.
Remember that in ASP.net Session.Abandon() not enough for this task, it does not remove the session identifier cookie from the user browser, so any new request to the same application after the session ends will use the same session identifier and a new instance of the session state! As stated by Microsoft . You need to refuse the session and clear the session ID:
Session.Abandon(); Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
It is also useful to change the authentication cookie name in the web.config :
<authentication mode="Forms"> <forms name=".CookieName" loginUrl="LoginPage.aspx" /> </authentication>
Here is a good article on Session Attacks and ASP.NET and how to resolve it.