[Owasp-dotnet] .NET and Session "Regeneration"
nick.sanidas at aspectsecurity.com
Wed Aug 16 15:52:41 EDT 2006
I was wondering if anybody had opinions or information concerning
generating new sessions after key events in an application lifecycle,
such as authentication, switching in/out of SSL, or performing high
value transactions within the .NET platform.
In particular, .NET has no obvious equivalent of the J2EE
request.getSession(true). When performing a session "regeneration" in
J2EE, one would likely follow these steps (in one server trip):
1) extract session attributes to be carried over (including
2) call session.invalidate()
3) call request.getSession(true)
4) insert attributes to be carried over into new session
5) response goes to browser, session id cookie updated by framework
These J2EE steps assume that the user identity has been saved in the
session as well.
For .NET, (with Forms authentication and auth cookie) one would have to
follow a different scenario involving an extra interaction with the
browser (to expire the session id cookie):
1) extract session attributes to be carried over
2) persist extracted attributes in temp storage (db for example)
based on user identity
3) call Session.Abandon()
4) manually expire the .NET Session ID cookie in the response
5) response goes to browser
6) upon next request (sans session id) framework generates new
session and session id
7) use auth cookie to get identity to extract session attributes
from temp storage
8) insert attributes to be carried over into new session
9) response goes to browser, along with session id
Any thoughts or comments? In .NET 2.0, there is a SessionStateUtility
class, but it is not trivial to use (and likely dangerous).
Thanks in advance for any advice or comments.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-dotnet