Introduction
Web applications rely on user state management because of the stateless nature of HTTP. In this article, we will look at Session Management in ASP.NET web applications and some of the key development aspects developers should look at to keep their web applications safe from attacks.
Session Management in ASP.NET Web applications
Session management regulates secure communication between a user and an application and enables the application to share relevant information and views related to the user’s identity. During a session, users submit requests and often this includes sensitive information that may be stored to keep track of the user’s selections and preferences on the user’s future requests. The application is expected to protect the user's information from unauthorized access during the session.
ASP.NET applications create a Session ID once a user logs in to an application and this ID is sent to the user’s browser for use each time the particular user makes a request. Session management secures client-server communications using a Session ID. Requests from the user to the server are identified by the session token. The use of securely configured session cookies may be applied for proper Session Management which will be attack free.
Session IDs can be stored in hidden form fields, in cookies, or can be embedded in the URL (not recommended). These three cookies have been seen to be the most secure and are commonly used. However, the use of insecure cookies may lead to a lot of vulnerabilities that may be used to attack unsuspecting authenticated users such as identity theft.
Session Vulnerabilities
Session Hijacking-Adversaries can use brute force to steal session tokens which may lead to session hijacking and attackers may impersonate the victim and cause damage.
Session fixation
This takes place especially in situations where the application does not perform consistent checks on user information and an attacker fixates the token of the authenticated user and uses it to hijack the session.
Session hijacking allows the attacker to perform any operations on the application using the victim’s rights or permissions. This can be very damaging if the victim has administrative privileges and the attacker has may remove or add users or assign himself further required user privileges.
Session Handling Best Practices
- It is a secure practice not to use the default SessionID provided in ASP.NET applications which are created by SessionIDManager. Secure methods of Session management replace this default cookie.
- Rename the default Session cookie – The ASP.NET_SessionId name reveals the name of the language as part of its SessionID characters and this gives away the security of the application to attackers. It opens the way for further attacks such as Code Injection.
- Discard the ASP.NET_SessionId cookie at logout – Using the default ASP.NET_SessionId cookie the application should destroy the ASP.NET_SessionId cookie at logout. Setting the ASP.NET_SessionId cookie to nothing (i.e null) at log out may result in making the ASP.NET_SessionId cookie being useless and invalid.
- Generate new Session cookies – Secure Session management should remove or expire session cookies at logout and create a new one when they revisit the application or site and provide correct login credentials.
- Session Logging – This entails logging of all session activities which can be implemented similarly with error logging. The application should when session cookies are created and they are destroyed. Session anomalies can easily be detected using Session Logging.
- Configure Session Cookies properly - Session tokens should contain unique characters and unpredictable to avoid attackers from easily guessing them or use brute force to crack through.
- Session ID must be random characters with no meaning and should not contain any useful information.
- Cookie information should be encrypted.
Conclusion
Session management ensures the users’ security on websites and web applications and should be implemented using secure methods to protect the website and users’ information and objectives in secure sessions.