Session Identifier Not Updated in Asp.NET web application

Question

Recently we had a security scan(IBM AppScan) in one of our ASP.NET Application where it reported a Medium vulnerability as follows

Session Identifier Not Updated
Severity: Medium
Risk: It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user
Causes: Insecure web application programming or configuration.

And the suggested fix by the tool for ASP.NET is

For platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach, set a secondary cookie on the user's browser to a random value and set a session variable to the same value. If the session variable and the cookie value ever don't match, invalidate the session, and force the user to log on again.

We have SSL Certificates installed for our application and made sure all the cookies(session,authentication and AntiForgeryToken) are secure(RequireSSL="True")-HttpOnly and also implemented Microsoft's Recommendation for Mitigating CSRF Vulnerability as mentioned in Microsoft CSRF Fix.

My question here is that even with SSL Certificates and Traffic is over Https is it still possible to hijack a session? and since i am already using a secondary Secure-Httponly cookie(AntiForgeryToken) what else do i have to do to make the application more secure?

Answer 1

Not sure if you are using Form's Authencation, but you can try doing the below when a user logs out:

        Session.Abandon();
        // in case a attacker has forced a cookie with a future expiration date, expire that cookie as well
        Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddYears(-30);
        Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));

this will force a new value for the cookie Id when they try to hit the site after logging out. to see this working, you can use Google Chrome, open your application and hit F12 to bring up the developer tools. Look under the Resources tab there is a Cookie item under that you should see your site's cookie. Check the value as you login and surf the site, after logging out the above code should force the id to change. otherwise even after logging out it stays the same, which is what the appscan sounds like it's asking you to fix.

Answer 2

In general it’s best to avoid using Session variables in ASP.NET applications for a number of reasons, not foremost among those to maintain balance across load-balanced servers.

There are a number of alternatives to using AntiForgeryTokens stored in session as part of the Synchroniser Token Pattern. One method gaining traction is the Encrypted Token Pattern, implemented by a Framework called ARMOR. The premise here is that you need neither Session nor cookies in order to maintain CSRF protection. It won’t be impacted by SSL Certificates.