Why does ASP.NET accept external session identifiers?

Question

Why does ASP.NET accept external session identifiers?

I have an ASP.NET 3.5 website using a standard SQL membership provider.

The application must pass IBM Rational AppScan before we can move on to production.

I get an error message:
Severity: high
Test type: Application
Vulnerable URL: http: //mytestserver/myapp/login.aspx Correction
tasks: Do not accept external created session identifiers

What can I do to fix this?

I am using SQL Memberhip Provider. Is this related? I also use standard input controls. I have "Remember Me" disabled and hidden.

Thanks.

+5

security asp.net membership asp.net-membership

Bobby ortiz Aug 24 '09 at 16:17

source share

3 answers

cookie , .

cookie:

<forms name="YourAppName"
       path="/FormsAuth" ... />

http://msdn.microsoft.com/en-us/library/ms998310.aspx#paght000012_additionalconsiderations

... http://msdn.microsoft.com/en-us/library/ms998258.aspx

+2

BigBlondeViking 24 . '09 16:28

, RegenerateExpiredSessionId . true. - , (, 10-15 ).

0

blaufish 02 . '09 14:33

blowdart · Accepted Answer · 2009-09-02T14:11:18+0000

This is not a vulnerability (and I really don't like AppScan because of its false positives), the number of times I had to explain CSRF cookies do not need to be associated with a session in my small open source project becomes annoying).

All that happens in this case is the first time that something is saved in a session state with the created session identifier, a new session will be opened on the server in which there is nothing. If you are worried about committing a session, you can clear the cookie after authentication.

Session.Abandon();
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));

But with forms authentication, authentication data is not stored in the session, and therefore committing is not a problem at all.

, , - , , .

Why does ASP.NET accept external session identifiers?

More articles: