0

We have been notified through a penetration test that our website is not securing the ASPXAUTH and ASP.NET_SessionId cookies.

I have made several changes to secure the cookies.

  • 1) Added the requireSSL="true" attribute to the System.Web -> Authentication -> Forms element in the web.config.
  • 2) In the code that clears the ASP.NET_SessionId and ASPXAUTH cookies on initial login and logout that sets them to be secure and HTTP Only.
  • 3) Added code to the Application_EndRequest method Global.asax that specifically sets the ASP.NET_SessionId and ASPXAUTH cookies in Response.Cookies to Secure and HttpOnly.

I can't figure out why the second one matters, but without it, the ASP.NET_SessionId cookie never shows up in the response object as secure.

Using the Chrome Developer tools I have taken a screenshot at several timepoints and some of the behavior looks unexpected to me. If someone could take a look at this and let me know if things are behaving correctly, I would very much appreciate it.

This screenshot was taken on initial page load after clearing cookies for the site: Upon initial page load

The two SessionId cookies seem odd to me, why is there one that is secure, and one that isn't?

This screenshot was taken after clicking to log in to the site:After clicking log in

This one makes even less sense to me, why is the ASP.NET_SessionId cookie in the request not flagged as secure, or HttpOnly, is this expected behavior? I'm assuming no SessionId cookie being sent in the response is correct behavior

This screenshot was taken after clicking a link on the site to view a new page:enter image description here

If possible, this makes even less sense to me. The two cookies in question are sent in the request, both not set HttpOnly or Secure. Is this correct behavior? Additionally, is neither cookie appearing in the response correct?

I've spent quite a big of time here on StackOverflow and with The Google to try to find the correct way to configure these cookies. I just don't know if what I've done was correct, as I'm not sure what the fixed implementation should even look like.

Any help that can be provided would be very much appreciated.

Thank you, -Nathan

Nathan Hood
  • 45
  • 1
  • 7

1 Answers1

0

Take a look at this similar thread on SO How to secure the ASP.NET_SessionId cookie?

Are you setting the secure flag of cookie during session start event? Something like this.

protected void Session_Start(Object sender, EventArgs e)
{
// secure the ASP.NET Session ID only if using SSL
// if you don't check for the issecureconnection, it will not work.
if (Request.IsSecureConnection == true)
     Response.Cookies ["ASP.NET_SessionID"].Secure = true;
}
Rasik Jain
  • 1,026
  • 6
  • 14
  • That did change the behavior somewhat, but I'm still not sure it's correct. This is after initial page load: https://i.imgur.com/KSUISU1.jpg This is after clicking log in: https://i.imgur.com/l7uxSPh.jpg This is after loading a new page: https://i.imgur.com/IcTkiav.jpg I'm concerned in the third image because neither of the cookies still have their httpOnly or secure flags set. – Nathan Hood Feb 20 '19 at 19:36
  • Its difficult to tell without looking at code. I would suggest to disable the code everywhere else where you are manipulating. Try to enable step by step. Also, before testing, try to clear cookies from chrome. Hope that works for you. – Rasik Jain Feb 21 '19 at 06:08
  • I have done all that, many, many times. The issue i'm trying to resolve isn't if my code is correct. I'm trying to determine if this behavior is correct. Especially the missing Secure and HttpOnly tags on the change page request. – Nathan Hood Feb 22 '19 at 16:57