How to prevents users change asp.net sessionid cookie

Question

How can i be sure that a session is valid? What happen if an user change his aspnet sessionid cookie and guess the id of another logged user?

Answer 1

If I've understood the question correctly, it's regarding someone opening their ASP.NET session cookie manually, changing the value and then sending it off and having their updated value recognised as someone else's session, logging them in as that person.

There's a bit of a mix up here between the session cookie and the authentication cookie. Guessing the session id of someone who's logged on will 'get' you their session, but you won't be logged on as them unless you also have their authentication cookie.

Guessing or brute-forcing either of these values is effectively impossible, the session id c12ylm55kp3uirruo4is5sm5 or the ASP.NET authentication cookie value:

3C886BA2344099338361C921C846EAF4E02F2A88E5E7EDE6838705928F7BB7C6FF469D35FE
B1532C44B81DB38F200DEE08B6ED0E6121B945C659E932D8CE8B69FFF09E7B59DBE4820873
DBD7891DD6B6BC4A486F35A2F99849017A6C72D9C6A44517D9AFDC731B3A3C55596E797328
06F7DDDF9F

...would take an impractical amount of time to guess - tens to hundreds of thousands of years.

Answer 2

There are two cookies that we need to talk about.

1. Is the cookie that is connecte with the session
2. Is the cookie that hold the authentication.

Are not the same, and the issue here is what to do to prevent someone to stole the authentication - Can some hacker steal the cookie from a user and login with that name on a web site?

The most important to me points are.

1. Require SSL to store the authentication cookie
2. When the user logged out (Base on that article), set a flag to session to block this authentication cookie. Even better keep the logged out authenticator cookie on a database as logged out.

Now if you also like to protect and the session cookie you should use SSL pages on all page. Or else you keep not important informations on the session cookie. Where and how to use the SSL