0

Hi I am getting Session Fixation vulnerability for the below line in my ASP.NET Application.

this.Session["update"] = Server.UrlEncode(System.DateTime.Now.ToString());

Getting this issue more than 100 places since I am using Session["SomeConstant"] in most of places to store value while moving from one page to another.

How to fix this issue? Is it possible to achieve in Global.asax file

Panagiotis Kanavos
  • 120,703
  • 13
  • 188
  • 236
  • Why do you assume that? Did you try a security tool that raised a warning? *What* does it complain about? Session fixation isn't caused by storing anything in session variables. One way it can happen is if the session ID appears in the URL, which is why ASP.NET Core doesn't even offer this option any more – Panagiotis Kanavos Mar 20 '19 at 13:29
  • Possible duplicate of [Session Fixation - Change sessionId on asp.net core 2](https://stackoverflow.com/questions/47335370/session-fixation-change-sessionid-on-asp-net-core-2) – Panagiotis Kanavos Mar 20 '19 at 13:38
  • @PanagiotisKanavos: I am using Checkmarx for SAST analysis. "The page performs user authentication without terminating existing sessions. This may enable Session Fixation." This is the warning I received. –  Mar 21 '19 at 04:42
  • This has nothing to do with storing data in the session. It has to do with how the rest of the Login method works. It's about code you haven't posted here. The problem is that the client's browser may have a session cookie already from another user. [Checkmarx's page](https://www.checkmarx.com/knowledge/knowledgebase/session-fixation) explains how this could happen. If the login code is really buggy, it could login a new user but *keep* the old cookie – Panagiotis Kanavos Mar 21 '19 at 08:36
  • To avoid this, the login code can call `Session.Abandon()` to kill any existing sessions. [This answer shows](https://stackoverflow.com/a/29105600/134204) which calls `Session.Abandon()` to abandon any existing session *and* clear any existing data just to be safe. The built-in authentication mechanism in the various ASP.NET stacks typically take care of this, but if someone creates custom login logic, `Session.Abandon` may be required – Panagiotis Kanavos Mar 21 '19 at 08:38
  • [Check this question too](https://stackoverflow.com/questions/51620688/fix-session-fixation-flaw-in-asp-net) - the warning may be false – Panagiotis Kanavos Mar 21 '19 at 08:53

0 Answers0