Why is ASP.NET accepting externally created session identifiers?

Asked 24/8, 2009 at 16:17 Answered 2/9, 2009 at 14:33

Solved asp.net security asp.net-membership membership

I have an ASP.NET 3.5 Web Site using the standard SQL Membership Provider.

The application has to pass the IBM Rational AppScan before we can push to production.

I am getting the error:
Severity: High
Test Type: Application
Vulnerable URL: http://mytestserver/myapp/login.aspx
Remediation Tasks: Do not accept externally created session identifiers

What can I do to fix this?

I am using SQL Membership Provider. Is this related? I am using the standard login controls too. I have the "Remember Me" turned off, and hidden.

Thanks.

Grub answered 24/8, 2009 at 16:17 Comment(1)

I can't think of any reason why this would be inherently bad? Doesn't change the fact that they check for it, but I'm wondering why. – Carpentaria 24/8, 2009 at 17:26

This isn't a vulnerability (and I really don't like AppScan because of its false positives - the number of times I've had to explain CSRF cookies need not be linked to a session on my little open source project is getting annoying).

All that will happen in this case is the first time anything is stored in session state with a created session identifier a new session will be opened on the server, with nothing in it. If you're worried about session fixation then you can clear the cookie after authentication.

Session.Abandon();
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));

But with forms authentication the authentication details are not held in the session and so fixation is not a problem at all.

Frankly if you must pass security scans without anyone evaluating if the results are not false positives then that's a whole different problem.

Conceit answered 2/9, 2009 at 14:11 Comment(5)

Thanks. However, I tried this, but the IBM Rational AppScan reported the same security error. – Grub 3/9, 2009 at 13:29

It's not a vulnerability though and your explanation is wrong. You've written and accepted an incorrect answer. – Conceit 3/9, 2009 at 15:33

I agree with you, but just saying it is not enough. I do not like the AppScan tool either, but that is the world I live in. I waste a day or so on every project. Until they change policy I have to live with it. – Grub 9/9, 2009 at 13:23

Wow, weird :) But glad it passed. – Conceit 29/9, 2009 at 18:23

Question: where should I put those two lines? In Session_End in Global.asax? – Heydon 30/5, 2013 at 18:52

You might need to change the default cookie settings to be unique to you app

Try setting a unique cookie path:

<forms name="YourAppName"
       path="/FormsAuth" ... />

http://msdn.microsoft.com/en-us/library/ms998310.aspx#paght000012_additionalconsiderations

More reading... http://msdn.microsoft.com/en-us/library/ms998258.aspx

Maddocks answered 24/8, 2009 at 16:28 Comment(0)

It would seem RegenerateExpiredSessionId property is controlling this. Do set it to true. Also keep time-out to a and low value, the tightest acceptable by users (e.g. 10 - 15 minutes).

Ouphe answered 2/9, 2009 at 14:33 Comment(1)

Thanks. I tried this, but IBM Rational AppScan is hitting the site every few seconds. Lowering the value to 10 minutes does not help. – Grub 3/9, 2009 at 13:31

Recommended topics

Hot tags