tags:

views:

1016

answers:

4
+4  Q: 

Why is ASP.NET accepting externally created session identifiers?

I have an ASP.NET 3.5 Web Site using the standard SQL Membership Provider.

The application has to pass the IBM Rational AppScan before we can push to production.

I am getting the error:
Severity: High
Test Type: Application
Vulnerable URL: http://mytestserver/myapp/login.aspx
Remediation Tasks: Do not accept externally created session identifiers

What can I do to fix this?

I am using SQL Membership Provider. Is this related? I am using the standard login controls too. I have the "Remember Me" turned off, and hidden.

Thanks.

+2  A: 

You might need to change the default cookie settings to be unique to you app

Try setting a unique cookie path: 

<forms name="YourAppName"
       path="/FormsAuth" ... />

http://msdn.microsoft.com/en-us/library/ms998310.aspx#paght000012_additionalconsiderations

More reading... http://msdn.microsoft.com/en-us/library/ms998258.aspx

BigBlondeViking  2009-08-24 16:28:06
Sorry, I was already doing this.
Bobby Ortiz  2009-09-03 13:40:17
A: 

Bobby, Have you had any luck? I too am dealing with the same issue from AppScan. A coworker of mine passed by explicitly resetting the session id for each successful login, but have had no such luck myself.

protected void Login1_LoggedIn(object sender, EventArgs e) { Session.Abandon(); Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", "")); }

The peculiar part is the AppScan request is redirecting to my error page (that I have specified in AppScan) but is still flagging me.

Thanks in advance, Mark

 2009-09-02 14:01:52
+4  A: 

This isn't a vulnerability (and I really don't like AppScan because of its false positives - the number of times I've had to explain CSRF cookies need not be linked to a session on my little open source project is getting annoying).

All that will happen in this case is the first time anything is stored in session state with a created session identifier a new session will be opened on the server, with nothing in it. If you're worried about session fixation then you can clear the cookie after authentication.

Session.Abandon();
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));

But with forms authentication the authentication details are not held in the session and so fixation is not a problem at all.

Frankly if you must pass security scans without anyone evaluating if the results are not false positives then that's a whole different problem.

blowdart  2009-09-02 14:11:18
Thanks. However, I tried this, but the IBM Rational AppScan reported the same security error.
Bobby Ortiz  2009-09-03 13:29:41
It's not a vulnerability though and your explanation is wrong. You've written and accepted an incorrect answer.
blowdart  2009-09-03 15:33:30
I agree with you, but just saying it is not enough. I do not like the AppScan tool either, but that is the world I live in. I waste a day or so on every project. Until they change policy I have to live with it.
Bobby Ortiz  2009-09-09 13:23:55
Well, I tried this again, and I passed the scan. Thanks.
Bobby Ortiz  2009-09-29 15:10:16
Wow, weird :) But glad it passed.
blowdart  2009-09-29 18:23:33
A: 

It would seem RegenerateExpiredSessionId property is controlling this. Do set it to true. Also keep time-out to a and low value, the tightest acceptable by users (e.g. 10 - 15 minutes).

blaufish  2009-09-02 14:33:46
Thanks. I tried this, but IBM Rational AppScan is hitting the site every few seconds. Lowering the value to 10 minutes does not help.
Bobby Ortiz  2009-09-03 13:31:27

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps