2

I'm doing a session ID change, but when it redirects to the Default.aspx page it loses all the keys I assigned to it!

this strange, any clue or help?

Even when I'm commenting this part :

Session.Clear();
            Session.Abandon();
            Session.RemoveAll();
            if (Request.Cookies["ASP.NET_SessionId"] != null)
            {
                Response.Cookies["ASP.NET_SessionId"].Value = string.Empty;
                Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddMonths(-20);
            }

it loses everything!

Here is my code:

protected void btnDebugLogin_Click(object sender, EventArgs e)
        {
            try
            {
                string email = "test@123.com";
                string pw = "password";
                string ip = Request.UserHostAddress.ToString();
                string browseragent = Request.UserAgent.ToString();
                ConsoleUser loginUser = new ConsoleUser();               

                AbandonSession();//Delete any existing sessions
                var newSessionId = CreateSessionId(HttpContext.Current); //Create a new SessionId
                SetSessionId(HttpContext.Current, newSessionId);

                loginUser = SecureLogin.Login(email, pw, ip, browseragent, referrer, LangCode, Session.SessionID.ToString(), null);

                if (loginUser == null)
                {
                    lblMsg.Visible = true;
                }
                else
                {
                    Session["CurrentUser"] = loginUser;
                    Session["CurrentLoginID"] = loginUser.CurrentLoginId; // Used for tracking User Activity in KeepSessionAlive
                    Response.Redirect("/qConsole/Default.aspx",false);
                }
            }
            catch(Exception ex)
            {

            }
        }


 protected void AbandonSession()
        {
            Session.Clear();
            Session.Abandon();
            Session.RemoveAll();
            if (Request.Cookies["ASP.NET_SessionId"] != null)
            {
                Response.Cookies["ASP.NET_SessionId"].Value = string.Empty;
                Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddMonths(-20);
            }
            if (Request.Cookies["__AntiXsrfToken"] != null)
            {
                Response.Cookies["__AntiXsrfToken"].Value = string.Empty;
                Response.Cookies["__AntiXsrfToken"].Expires = DateTime.Now.AddMonths(-20);
            }
        }

        private static string CreateSessionId(HttpContext httpContext)
        {
            var manager = new SessionIDManager();

            string newSessionId = manager.CreateSessionID(httpContext);

            return newSessionId;
        }

        public static void SetSessionId(HttpContext httpContext, string newSessionId)
        {
            var manager = new SessionIDManager();

            bool redirected;
            bool cookieAdded;

            manager.SaveSessionID(httpContext, newSessionId, out redirected, out cookieAdded);

        }

and the validation part is done in the Master Page before the Default.apsx page is loaded, here:

 protected void Page_Init(object sender, EventArgs e)
        {
            if (Session["CurrentUser"] == null)
            {
                Response.Redirect("/");
            }

// ..

        }
B.Simboliq
  • 55
  • 7
  • That actually sounds like it works **exactly** how it should. Session variables are stored in a Dictionary with key = SessionID. You can only retrieve them using the original ID. – Peter B Oct 26 '18 at 17:07
  • but I'm assigning the CurrenUser and CurrentLoginID objects to the Session after changing the ID using the SessionIDManager! isn't that right? – B.Simboliq Oct 26 '18 at 17:10
  • You are going to have trouble dropping the old session and creating the new one in the same request-- ASP.NET will emit two cookie headers with the same name, one expired and one with the new ID. Not sure how that will play out. Can't you just [set the ID you want to begin with](https://stackoverflow.com/questions/17839283/is-it-possible-to-set-session-id-to-a-value-of-my-choice-in-asp-net)? – John Wu Oct 26 '18 at 17:21
  • my intention is just to change the ID after logging in, is that possible in a different way than the one i implemented? – B.Simboliq Oct 26 '18 at 17:23
  • 1
    Why do you want to change the session ID anyway? –  Oct 26 '18 at 17:26
  • this is one of the requests by the security teams asked me to do in one of the projects i worked on. – B.Simboliq Oct 26 '18 at 17:28
  • @B.Simboliq And why did the security team ask you to do that? If you're doing the work, and don't understand the reason, then it stands to reason that the underlying effect the security team is trying to accomplish won't actually be completed. – mason Oct 26 '18 at 17:32
  • @Amy The common way of defending against https://www.owasp.org/index.php/Session_fixation is to make sure that the session id changes during the login process. ASP.Net makes this surprisingly tricky. – bmm6o Oct 26 '18 at 17:55

1 Answers1

0

This is the expected result of telling the client to use a new session id. The values are still in the old session, but there is no connection between the old one and the new one. The Session is attached to the request early on in the request cycle, and changing a cookie value during the handling won't affect what session is attached to the user's requests until the next request comes in. What you want to do is clear the cookie when you first render the page, not when they click the button. There are some other subtleties to session management that I mention in my answer https://stackoverflow.com/a/45383679/10558.

You've tagged this question csrf but your solution does nothing for that attack. What resetting the session id prevents is session fixation.

bmm6o
  • 6,187
  • 3
  • 28
  • 55
  • my intention is just to change the ID after logging in, is that possible in a different way than the one i implemented? – B.Simboliq Oct 26 '18 at 17:23
  • Yes, but when you change the ID you lose all previous state, including that they have logged in. If you want to use the ASP.Net session framework, you need to change the id before the request where they log in. You can do this when you send the login page, just make sure not to put anything in the session. – bmm6o Oct 26 '18 at 18:49