Simplifying .NET Session Management for Security Part 2

Simplifying .NET Session Management for Security Part 2


A “session” refers to a temporary interaction between a user and a web application, typically beginning when a user logs in and
ending when they log out or after a certain period of inactivity.

Server-Side Session Management:

Session Object:

  • Definition: Session objects store user-specific data on the server, identified by a unique session ID.
  • Threat: Session objects may be vulnerable to unauthorized access or session hijacking (that is your user session taken over by other user).
  • Mitigation: Implement strong authentication, regenerate session IDs on login (a new unique identifier must be generated on every login) and set session timeout to protect against unauthorized access and hijacking.(the unique identifier must expire after a certain time out and new unique identifier must be generated)
    • Technical nitty-gritty:
// Regenerate session ID on login
SessionIDManager manager = new SessionIDManager();

State Management:

  • Definition: State management involves storing data between requests to maintain user-specific information.(example any user interaction with a website can be a part of request and response)
  • Threat: Improper use of state management can lead to data inconsistency or leakage.
  • Mitigation: Secure state management is a mitigation control
    • Technical nitty-gritty:
      • Choose appropriate providers and encrypt sensitive data to prevent data compromise.
// Use secure state management provider
<sessionState mode="SQLServer" sqlConnectionString="your_connection_string" />

Profile Properties:

  • Definition: Profile properties store user-specific information, such as user preferences and user settings.
  • Threat: User profile properties may expose sensitive information if not secured.
  • Mitigation: Encrypt or restrict access to sensitive profile properties to safeguard sensitive user information.
    • Technical nitty-gritty:
// Encrypt sensitive profile properties
Profile.SensitiveProperty = Encrypt(sensitiveData);

There are many more controls to protect user sessions from the server side!

You can take Secure development courses online at the below location!

You can take Secure development courses instructor led below!

Some supplementary material for you to prepare for certification!

Leave a Reply

Your email address will not be published. Required fields are marked *

Social media & sharing icons powered by UltimatelySocial