ASP.Net Session Not Invalidated After Logout - asp.net

I have a ASP.Net application in my login page I call
FormsAuthentication.SignOut
Session.Abandon()
Session.Clear()
however the Appscan is taking the ASPXAUTH cookie value then after logout is able to re-inject the cookie value to gain access to protected pages.
Microsoft has acknowledged a problem but only offers advice not a fix - http://support.microsoft.com/kb/900111
Can someone provide examples how to fix this issue

One option is to have a UserSession table and insert a record into this table when the user logs in. When you logout either delete the entry or mark it invalid. On the secure pages, verify that a UserSession exists for the logged in user and redirect to a login page if it does not.

set a session value on login, clear it on log out and check it on each access to a secure page. The session value is not sent to the client and as such the client/attacker can not manipulate it.
walkthrough without session value cleared on exit :
user visits login page - generates viewstate
man-in-the-middle-hacker collects viewstate
user submits login form - generates auth cookies
man-in-the-middle-hacker collects auth cookies
user logs out - server clears users cookies
man-in-the-middle-hacker continues to use previous credentials completely unhindered
game over
walkthrough wit session value cleared on exit :
user visits login page - generates viewstate
man-in-the-middle-hacker collects viewstate
user submits login form - generates auth cookies
man-in-the-middle-hacker collects auth cookies
user logs out - server clears users cookies and sets its internal session flag value to null
man-in-the-middle-hacker continues to use previous credentials but because the session he is working with now has the value null server redirects to login page.
win!

Related

Fix Session Fixation flaw in ASP.Net

A hybrid webforms/mvc asp.net application using .Net Framework 4.7 has been tagged with the "Session Fixation" vulnerability in a Veracode dynamic scan. What this means is that Veracode gets the login page, alters the SessionId cookie (ASP.NET_SessionId), and then posts with a valid userid and password to do the login. ASP.Net logs in the user, but takes this altered SessionId cookie and continues to use it; that behavior of using that injected SessionId value is the flaw.
In other words, when Veracode gets the page the SessionId cookie might be "abc123". Veracode changes that cookie to "def456" and posts back. ASP.Net logs in the user and uses "def456" as the SessionId henceforth.
Per Veracode I must invalidate the ASP.Net_SessionID cookie created prior to a successful login. This is easy to do of course, I can simply reset the ASP.NET_SessionId cookie when the user successfully logs in. The problem is, this causes the user to be redirected right back to the login page. So what happens is this:
User submits the login page.
Server-side, if the login is successful, I reset the ASP.NET_SessionId to some new value (by calling SessionIDManager.SaveSessionID(), which in turn simply resets the ASP.Net_SessionID cookie).
The user is redirected to the application home page, and then immediately redirected back to the login page
The application uses forms authentication, with a webforms login page. The login page uses the asp.net Login control. In the "OnAuthenticate" event of this control I have code like this:
protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
{
bool b = Membership.Validateuser(Login1.UserName, Login1.Password);
if(b)
{
e.Authenticated = true;
SessionIDManager mgr = new SessionIDManager();
string newId = mgr.CreateSessionID(Context);
mgr.SaveSessionID(Context, newId, out bool redirected, out bool cookieAdded);
}
}
This runs without error. ASP.net redirects the user to the application home page. But then asp.net immediately redirects the user from the application home page back to the login page.
Is there any way to alter that SessionId cookie so that
Veracode's injected SessionId cookie value is abandoned.
The user stays authenticated and is not simply redirected back to the login page.
I've attempted running the code that alters the SessionId in various page events (PreInit, Load, etc) and all of them have the same result--the user is redirected back to the login page.
Please do not mark this question as already answered. There are several answers to this question on SO, all of which advise re-setting the SessionId cookie as I do above, and all of which have comments pointing out that this does not actually work.
After considerable back-and-forth the final reply from a Veracode consultant was the following, basically saying "don't worry about it." This is the reply from Veracode:
I also looked further into the dynamic findings from your application. The session ID that we are finding session fixation on, is not the ID you are using for authentication, and so the risk for your application is low. An attacker would not be able to gain access to an authenticated session of a user by controlling just the ASP.NET_SessionId cookie. By protecting the .ssoIIMAuth cookie your application is already preventing this sort of attack.

How to double-check user credentials against SQL database in ASP.NET Forms Authentication

I'm setting up Forms Authentication for the first time.
I am validating the username and password(hashed) against a local SQL database.
All of this is working fine in my logon.aspx file in a ValidateUser() function.
I am also allowing the logon criteria to be persistent so the user does not have to re-enter their credentials when they return to the page.
The problem is, when the previously logged in user returns to my site and the cookie/ticket is used my ValidateUser() function is not called, SO... if I have deactivated the user or changed the user's password the user still gets logged in.
I've considered doing this in Application_AuthorizeRequest or Application_PostAuthorizeRequest in Global.asax, but I would also like to set some session variables at the time I re-verify the credentials against the database and the session is not yet created when these are called for the first time when a user logs in.
Any advise would be greatly appreciated.
For first time when user authorized at that time create session for that user e.g Session["Username"] check session whenever he enters in any page if session is not present redirect him to login page, after that when he log out abandon that session.
So whenever he want to access next time he wants to login again.

asp.net mvc3 authentication

Is there any solution for redirect user to login page, when cookie expires?
I create formsauthenticationticket and cookie. Expiration is set on 10minutes.
When expiration is over, and user doesn't make any request 20-minutes, and after that,
clicks he on some link, he would be redirected to login page and log in again.
I have HttpModule in assembly, which is referenced in web project.
In this module I have PreRequestHandlerExecute() event,
where I control on every request, if the user is authenticated and refresh timeout for cookie.
But If the user is not authenticated, he would be redirect to login page.
Is there any solution for this? I know about AuthorizeAttribute, but is there any other way to do this?
THANKS
Once the user's cookie has expired it won't be sent in the request, so you have no way of knowing who is a new user and who is a user who's cookie has expired because neither user will send a cookie with their page request.
One workaround is to set the cookie to 10 mins, but use the Meta Refresh tag to redirect to the login page after 9 mins 50 seconds. Note: the login page would need to log the user out too, otherwise it would refresh the session again.

Keep Session in Sync with FormsAuthentication

When a user logs in through my login page, I authenticate them using FormsAuthentication, and set some Sessions that holds user specific info, like UserID and RoleID. I set site content based on these values.
The problem is when the session expires and the user is still signed in - things are messed up, because the session is null but the user is still signed in.
How can I keep them in sync with each other, so the session only expires if they're signed out or vs.
Thank you.
When the session has ended (Session_OnEnd) in global.asax, you can kill the forms authentication cookie. Doing so will redirect the user to the default page (or login page depending on how you set it up) upon any subsequent requests. You should also kill the authentication cookie when user has manually logged out - same effect.
To kill the authentication cookie:
FormsAuthentication.SignOut();

How do I let a user know that his/her session has expired?

I have set Tomcat to dispose of sessions after 15 minutes of inactivity. Something like this
<session-config>
<session-timeout>15</session-timeout>
</session-config>
Whenever a user accesses a restricted page (one that requires a user to be logged in) I check the session to see if the login process has been completed. If it has then access is granted if it hasn't then the user is redirected to the login page where he/she is prompted with a valid ID and a password. If a session times out then the user is required to log in again. And this is fine, but I would like to let the user know that he/she has to logi in again because the session has timed out.
How do I go about doing this? I found the HttpSessionListener interface and thought it might help but the sessionDestroyed method is called right before the session is invalidated so setting a parameter there is no good, as expected.
On login, set a long living cookie (1 day?) which you remove (set age to 0) during a normal logout. If you land at the login page again while the user is not logged in and the cookie is still present, then it means that the session has been expired.
<c:if test="${empty user && not empty cookie.user}">
You were logged out because the session was expired.
</c:if>
When you redirect the user to the login form, set a request parameter, url parameter, or cookie that indicates that the session has expired (erase the cookie once you've displayed the login form if you use a cookie). Then, when displaying the form, check for the session expired indicator and show an appropriate message.
You can check if the session has expired and/or timed out with:
if (request.getRequestedSessionId() != null
&& !request.isRequestedSessionIdValid()) {
// Session is expired
}
Use getRequestedSessionId to distinguish between new and existing (valid/expired) sessions, and use isRequestedSessionIdValid to distinguish betwheen valid and new/expired sessions.
You can put this code in a Filter.

Resources