Session hijacking counter measures in ASP.NET

Question

I want to implement measures to prevent/mitigate session hijacking. Thus, I want to know the options, either from built-in ASP.NET or custom components.

Please note that session hijacking refers to Forms Auth session and Session State.

My ASP.NET is using HTTPS for all pages all the time. But it is possible that session can be compromised once the session cookie id is obtained by third party somehow, e.g. from user's hard drive, cross-site scripting attacks, and man-in-the-middle attacks

In particular, I am concerned about session id hijacking because https is used all the time for my projects

Below is the links I reviewed, which are written a few years back:

Foiling Session Hijacking Attempts Jeff Prosise Please refer to Caveats section for its shortcomings.

I cannot find much relevant information, or different from Jeff's on the web.

Answer 1

Here are a couple suggestions:

1. Salt your sessionId. This would ensure that you have unique session Ids - although, I am pretty sure the default ASP.NET session Ids are unique enough for your purposes; however, for added security you could use something that either you can control or is self-identifying. For instance, you could use a GUID as a salt - which you can control by updating as you see fit.
2. Track the SessionId and user ip address of your users as a pair in a dictionary object. This would enable you to match the session Ids to the ip address and reveal any session hijacking that is occurring outside of the user's LAN. Obviously not without flaws as it won't matter much if the user's computer or router is infected, but it will at least make it more difficult for the attacker to accomplish their task.

Not sure what you would do if the user's computer is infected, but that risk exists whether you increase your defensive measures or not.