[Owasp-leaders] ASP.net Session hijacking

Erlend Oftedal Erlend.Oftedal at BEKK.no
Mon Apr 2 15:16:02 UTC 2012

ASP.NET is interesting that way. Authentication and session data is split in two. The FormsAuthCookie is an encrypted cookie with a username and timestamp. It cannot be invalidated server side, so there is really no way to log out. A log out is just a manner of deleting the cookie client side, which, in case it's stolen, doesn't really help. The session though is invalidatable server side. But it doesn't contain authentication data. If there is no data in the session, no session is kept. If the user submits a cookie value containing a session id that does not exist on the server, the server will create one with the given id...
This is at least the way it works pre-MVC.

Regarding protection you can set absolute and sliding expiration of the auth. You can set the Secure flag and I think httponly is on by default.


From: Michael Hidalgo Fallas
Sent: 02.04.2012 15:57
To: OWASP Leaders; dinis cruz
Subject: [Owasp-leaders] ASP.net Session hijacking

Hi Leaders,

I wonder if any of you guys have create any kind of research/best practice about  ASP.Net Session Hijacking attacks and prevention. I'm currently focused on how to prevent this kind of attacks using  ASP.Net.

Also Do you think it is a good idea to have a White papers section in our main page? If this section already exist, please point me there. I believe that this kind of documents may follow any of the IEEE standards to perform researchs. I know that there are several research in our site, but this kind of white papers  can be distributed in universities.

Thanks for your comments!

Michael Hidalgo F.
OWASP Chapter Leader,Costa Rica.

“If you believe in yourself and have dedication and pride - and never quit, you'll be a winner. The price of victory is high but so are the rewards.” Paul Bryant

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120402/d53d9e43/attachment.html>

More information about the OWASP-Leaders mailing list