INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Update Session ID after login, prevent Session Fixation

Update Session ID after login, prevent Session Fixation

(OP)
I've inherited a project that has gone through a security audit. One thing they found is that the session ID is not updating after login and this opens the application up to a Session Fixation attack.

My problem is one of timing it appears. The default.aspx.vb handles the login click and checks the credentials against the database. If login succeeds, the app loads a class that it calls GlobalTransfer which essentially stores a ton of properties that can be accessed throughout the app. It stores this object into the session. My problem is that the couple of methods I have found to update/kill/reset a session don't fire until after default.aspx.vb is finished running:

- Session.Abandon doesnt call the Session_OnEnd event until the page is finished processing
- Using SessionIDManager.SaveSessionID adds the new ID to the HTTP Response, but it appears this doesn't show up in the process until the next page call

I've added the SaveSessionID call to the Page_Load of my default.aspx.vb figuring it didn't matter if a new session ID was generated everytime default is run, just as long as the last session generated sticks for the rest of the session. However, somehow the session ID is still not changing until after the login handler is completed. Here is an example from my Page_Load call:

CODE --> VB

Dim Manager As New SessionIDManager()
Dim NewID As String = Manager.CreateSessionID(Context)
Dim OldID As String = Context.Session.SessionID
Dim redirected As Boolean = False
Dim IsAdded As Boolean = False
Manager.SaveSessionID(Context, NewID, redirected, IsAdded)
Dim strTest As String = Session.SessionID 

So when I first come to the default page, strTest is "hjkqn41huzavksq3idtaiujs"
I enter credentials to login and click the button, the Page_Load fires which should update the SessionID, but the strTest value is still "hjkqn41huzavksq3idtaiujs"
So then it goes through all the login handling, saves the GlobalTransfer, redirects to frmOne.aspx and NOW the Session ID is "dtchgyu2jfehifvivw31gel1"
So at this point the GlobalTransfer data is all lost

Anyone have a solution that will update the SessionID instantly?

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close