Educause Security Discussion mailing list archives
Re: ASP Session ID Reuse
From: Ozzie Paez <ozpaez () SPRYNET COM>
Date: Tue, 10 Feb 2009 20:34:35 -0700
Neil, I have designed a variety of ASP.Net applications and found a number of behaviors along these lines that can be problematic. One of them occurs when a program is supposed to clear the session Id, but fails to do so when it ends abnormally. Sometimes 'abnormally' means that the user closed the browser, as opposed to logging out of the application. Other examples are session Ids that are not cleared for a period after the application terminates. Anyway, yes, the session ID cookies should be cleared at the end of the session, but they often fail to clear for a number of reasons. Make sure that when you test, you take into account normal and abnormal log-outs, Ozzie Paez SSE/CISSP SAIC 303-332-5363 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Neil Matatall Sent: Tuesday, February 10, 2009 5:41 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] ASP Session ID Reuse Hello All, While pen testing a vendor ASP application, we found that the session ID cookies are reused by default. I feel that I must be missing something here. Isn't this a bad idea? Under OWASP's "Things To Do" section on session management: "For all applications, session tokens should be regenerated after a change in user privilege." - this applies to a user who is unauthenticated that becomes authenticated and vice versa, correct? Assuming your cookies are safe, the following exploit still exists 1. Login as User1 2. Copy the ASPSESSIONID* cookie name and value 3. Log out 4. Login as a User2 5. On a different computer (or browser), create the cookie with the previous information. 6. Visit the application and you will see that you are logged in as User2 http://support.microsoft.com/kb/899918 actually discourages removing the session id cookie values! What are you doing to protect you ASP session IDs? Neil Note: this is not an ASP.Net application, just plain old ASP. This is my first experience with ASP :P
Current thread:
- ASP Session ID Reuse Neil Matatall (Feb 10)
- <Possible follow-ups>
- Re: ASP Session ID Reuse Brian Reilly (Feb 10)
- Re: ASP Session ID Reuse Ozzie Paez (Feb 10)
- Re: ASP Session ID Reuse Neil Matatall (Feb 11)
- Re: ASP Session ID Reuse Brian Reilly (Feb 11)
- Re: ASP Session ID Reuse Ozzie Paez (Feb 11)
- Re: ASP Session ID Reuse Josh Drummond (Feb 11)