Educause Security Discussion mailing list archives

Re: ASP Session ID Reuse

From: Ozzie Paez <ozpaez () SPRYNET COM>
Date: Tue, 10 Feb 2009 20:34:35 -0700

Neil,

I have designed a variety of ASP.Net applications and found a number of
behaviors along these lines that can be problematic.  One of them occurs
when a program is supposed to clear the session Id, but fails to do so when
it ends abnormally.  Sometimes 'abnormally' means that the user closed the
browser, as opposed to logging out of the application.  Other examples are
session Ids that are not cleared for a period after the application
terminates.  Anyway, yes, the session ID cookies should be cleared at the
end of the session, but they often fail to clear for a number of reasons.
Make sure that when you test, you take into account normal and abnormal
log-outs,

Ozzie Paez

SSE/CISSP

SAIC

303-332-5363



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Neil Matatall
Sent: Tuesday, February 10, 2009 5:41 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] ASP Session ID Reuse



Hello All,

While pen testing a vendor ASP application, we found that the session ID
cookies are reused by default.  I feel that I must be missing something
here.  Isn't this a bad idea?  Under OWASP's "Things To Do" section on
session management:

"For all applications, session tokens should be regenerated after a change
in user privilege." - this applies to a user who is unauthenticated that
becomes authenticated and vice versa, correct?

Assuming your cookies are safe, the following exploit still exists

1.      Login as User1
2.      Copy the ASPSESSIONID* cookie name and value
3.      Log out
4.      Login as a User2
5.      On a different computer (or browser), create the cookie with the
previous information.
6.      Visit the application and you will see that you are logged in as
User2

http://support.microsoft.com/kb/899918 actually discourages removing the
session id cookie values!  What are you doing to protect you ASP session
IDs?


Neil

Note: this is not an ASP.Net application, just plain old ASP.  This is my
first experience with ASP :P

Current thread:

ASP Session ID Reuse Neil Matatall (Feb 10)
- <Possible follow-ups>
- Re: ASP Session ID Reuse Brian Reilly (Feb 10)
- Re: ASP Session ID Reuse Ozzie Paez (Feb 10)
- Re: ASP Session ID Reuse Neil Matatall (Feb 11)
- Re: ASP Session ID Reuse Brian Reilly (Feb 11)
- Re: ASP Session ID Reuse Ozzie Paez (Feb 11)
- Re: ASP Session ID Reuse Josh Drummond (Feb 11)