Session hijacking and Session fixation

Question

We have Session hijacking and Session fixation problem with our asp.net application. We have implemented SSL also.

1.. I have added below code in web.config file.

<----

<httpCookies httpOnlyCookies="true" requireSSL="true"   />


  <forms loginUrl="Homepage.aspx"
      protection="All"
      timeout="20"
      name=".ASPXAUTH"
      path="/"
      requireSSL="true" 
      slidingExpiration="true"
      />

--->

2... Encrypting formsathuntication ticket and adding to the cookie after user is athunticated.

<---

FormsAuthenticationTicket tkt;

string cookiestr;

HttpCookie ck;

tkt = new FormsAuthenticationTicket(1, uname, DateTime.Now, DateTime.Now.AddMinutes(20),false, "your custom data");

cookiestr = FormsAuthentication.Encrypt(tkt);

ck = new HttpCookie(FormsAuthentication.FormsCookieName, cookiestr); ck.Path = FormsAuthentication.FormsCookiePath;

Response.Cookies.Add(ck);

-->

3.. I'm removing session variables and passing null value to ASP.NET_SessionID on logout page and Error page.

SessionHandler.EndSession();

    Session.RemoveAll();

    Session.Abandon();

    Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));


    if (Request.Cookies["ASP.NET_SessionId"] != null)
    {
        Response.Cookies["ASP.NET_SessionId"].Value = string.Empty;
        Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddMonths(-20);
    }

    if (Request.Cookies["AuthToken"] != null)
    {
        Response.Cookies["AuthToken"].Value = string.Empty;
        Response.Cookies["AuthToken"].Expires = DateTime.Now.AddMonths(-20);
    }

    HttpCookie authcookie = Request.Cookies[FormsAuthentication.FormsCookieName];
    authcookie.Expires = DateTime.Now.AddDays(-1D);
    Response.Cookies.Add(authcookie);
    FormsAuthentication.SignOut();

still problem is not solved...

Answer 1

1. Is your problem session hijacking, or authentication hijacking?
2. Are you trusting session values without validating identity? (Note that session and authentication are not intrinsically linked in ASP.NET).
3. If you've implemented SSL, why is your session cookie still set to requireSSL="false"?
4. Research best-practice, and see for yourself where you've gone wrong. For example - http://www.troyhunt.com/2010/07/owasp-top-10-for-net-developers-part-3.html

To elaborate on point 2.

There are two cookies in use here, one is for Session, the other for FormsAuthentication. The FormsAuth cookie identifies the user, and all reasonable steps need to be taken to keep this one secure. Typically, requiring SSL is a good step (as you've applied in the edit of your example). The Session cookie though, often doesn't come under as close scrutiny for developers, but depending on how you're using it can be just as sensitive. A session fixation steals the session, not the authentication.

An example:

1. UserA logs in, they are an admin user. They receive a FormsAuth cookie stating "This is UserA", they might also get a session cookie stating "This User Is Admin".
2. UserB gets a copy of the session cookie belonging to UserA (they might do this via interception, or even just by being on the same machine after UserA logs out if the session cookie isn't cleared).
3. UserB logs in, they are a "read-only" user (not admin). They receive a FormsAuth cookie stating "This is UserB", they then inject the session cookie stolen at step 2. Meaning they have a FormsAuth cookie stating "This is UserB", and a Session cookie stating "This User Is Admin".
4. Presto, UserB is now admin.

The problem here (as it relates to point 2 of my original list of concerns), is that the server didn't verify the identity of the user in relation to its session. You can do your best to try and link the Session and Forms authentication tickets together somehow, and definitely make certain you're encrypting (SSL). OR, you can stop storing sensitive data in the session (or at least reduce it). When it comes to my "This User Is Admin" example above, the better implementation is to use the ASP.NET Role and Profile providers in conjunction with the Membership provider. The three of them go hand in hand, and there's a lot of examples out there on how to use them to your advantage.

This is only one possible line of investigation though and as @JohnFx rightly pointed out, you really need a focused question here before you can expect a good answer. When it comes to security implementation, it's important to understand the concepts involved, instead of just throwing example code at the issue. Your example code provided thus far looks suspiciously similar to a CodeProject article discussing session fixation, but do you understand what it's trying to accomplish? Do you know if it even applies to the problem you're experiencing?