Broken Authentication and Session Management – part Ⅱ

Introduction
HTTP is a stateless protocol, hence web server does not maintain any track of user activity. To track user activity we generally use Sessions. There are various ways of session management where the server generates a session identifier (ID) initially and ensure that the same ID will be sent back by the browser along with each subsequent request. This helps us to maintain a record of user. Improper handling of these session variables could be a serious threat and allows attackers to gain access to the system. This article illustrates session fixation considering ASP.NET web application. For better understanding I have created a simple ASP.NET application. You can download the project from here. This project has two folders ‘SecureLoginFunc’ & ‘InsecureLogin‘ which contains login & logout mechanism of the application. You need to import the downloaded project to Visual Studio or create a virtual directory in IIS and add this project to it.

As you know a Session is used to track the user activity using a Cookie. In ASP.NET, server creates a cookie named as ‘ASP.NET_SessionId‘ on the client. This ‘ASP.NET_SessionId’ cookie value will be checked for every request to ensure the authenticity & Identity. ASP.NET has two ways of transmitting session IDs back and forth to the browser, either embedded in the URL or through a session cookie. You can easily spot the session ID when it’s embedded in the URL, for example ‘www.abc.com/(S(dacaanfdgasdfdadfghq))’. Anyway this is not recommended solution.

Continue reading