5

We have had a security test against our site, and a vulnerability has been identified.

Issue

If the session identifier were known by an attacker who had access to the user's workstation, the logged out session could be accessed using the session cookie after the user had terminated their session.

Recommendation

Ensure that session identifiers are correctly terminated on the server side when the logout function is invoked.

Code

The code currently does this (if a user clicks the "logout button")

        FormsAuthentication.SignOut();
        Roles.DeleteCookie();
        Session.Clear();

I'm not sure how to check "ensure that session identifiers are correctly terminated on the server side when the logout function is invoked."

I've done some research and think I should I be doing this instead?

        Session.Abandon();

If not, what should I be doing? (I'm not entirely sure how to test this...)

Ian G
  • 29,468
  • 21
  • 78
  • 92

1 Answers1

6

In ASP.net Session.Abandon() is not sufficient for this task, it does not remove the session ID cookie from the user's browser, so any new request to the same application, after the session is abandoned, will use the same session ID and a new Session State instance! As Microsoft states here. You need to abandon the session and clear session ID cookie:

Session.Abandon();
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));

It's also a good practice to change the Form Authentication cookie name, in your web.config file:

<authentication mode="Forms">
  <forms name=".CookieName" loginUrl="LoginPage.aspx" />
</authentication>

Here's a good article on Session Attacks and ASP.NET and how to resolve it.

Kamyar Nazeri
  • 25,786
  • 15
  • 50
  • 87
  • Deleting the cookie on the client doesn't prevent the security issue -- if the cookie content was stolen prior to the user logging out. .NET doesn't delete the session on the server's side, so the attacker can re-create the cookie and "resurrect" the user's session. – Synctrex Nov 04 '20 at 19:34