All geek questions in one place

Creating a New SessionID for Login (ASP.NET)

I am trying to solve a number of security issues on a rather large ASP.NET web application (C #). To prevent session-committed attacks, I would like to generate a new session identifier every time a user authenticates. However, I only want to generate a new session identifier without losing the rest of the session. After some research on this topic, I found a couple of working solutions:

Solution 1: Create a new SessionId in ASP.NET
This allows you to clear the session cookie manually by setting it to an empty line. However, this requires either a page refresh or the use of AJAX to ensure that the cookie is indeed deleted, which is not a really viable option in my particular case.

Solution 2: Create a new ASP.NET session in the current HTTPContext
I have implemented this approach and it works as expected. However, according to the original poster, this is not really what you can call an elegant solution. In addition, this post is several years old and I hope that there may be a better solution for now.

I would like to know if there are any alternatives for this that I have missed in my research, or if something like solution 2 is possible without manipulating the internal session management environments.

+6
source share
2 answers

It is not so easy to achieve what you want due to the way session management works by design in ASP.NET, solution No. 2. Solution (2) seems a bit risky, considering that the details of the implementation of the ASP.NET session state change on some point.

I would recommend solution 1, where you store the relevant data from the session in db / cache, when the user authenticates, receives a new session for the user, and then fills it with the necessary data. As the data moves from the “unauthenticated” session to the “authenticated” session, you should also take care to validate this data.

Clearing a session cookie manually can be a slippery slope, re accelerate ASP.NET session security . You will find a more reliable solution in NWebsec.SessionSecurity authenticated session identifiers (Disclaimer: I am a developer in this project).

+4
source

Changes to Web.Config sessionState cookieName = "ABC"

On the Login.aspx page in the block! ispostback write

Response.Cookies.Add (new HttpCookie ("ABC", ""));

Enjoy

- The storage time is good!

0
source

Source: https://habr.com/ru/post/949020/

More articles:


All Articles