In this article I will discuss how to prevent session fixation attack.
If you do not have clear understanding of Session Fixation attack then first go through the Wikipedia page on Session Fixation at following link: http://en.wikipedia.org/wiki/Session_fixation
When the login page is first accessed the ASP.NET_SessionId cookie is set at the browser. For all subsequent requests the browser and server use this cookie value. Even after authentication is successful and the application sets session variables the ASP.NET_SessionId value does not change.
This results in the possibility of session fixation attack, where an attacker can potentially fix a victim’s session by accessing the login page. If the victim uses that login page to authenticate to the application, then the attacker may be able to hijack the victim’s authenticated session, since he knows the ASP.NET_SessionId that was set at the login page.
In order to mitigate this vulnerability, the login page should implement code that would invalidate all session variables and force the application to set a new ASP.NET_SessionId on successful login.
At the login page we should implement the code that invalidates session after successful user authentication from database and regenerates the ASP.NET_SessionId value.
- Destroy the current session variables at server
- Set a blank ASP.NET_SessionId cookie if the request is the first request to the login page
Response.Cookies.Add(new HttpCookie(“ASP.NET_SessionId”, “”));
The user will access the login page and submit the username and password to the application. On successful authentication the user will re-directed to the home page of the application after appropriate session variables set.
Session[“isAuthenticated”] = True;
Session[“user”] = user;
The Web server, on seeing that the session cookie value was set to null in the request, will set an appropriate session cookie value in the HTTP 302 response.
Thus now the authenticated user accesses the application with a newly set ASP.NET_SessionId cookie.