Simplifying .NET Session Management for Security Part 3

Simplifying .NET Session Management for Security Part 3

Session:

A “session” refers to a temporary interaction between a user and a web application, typically beginning when a user logs in and
ending when they log out or after a certain period of inactivity. These sessions can get identified by a session ID.

Session Hijacking:

Definition: Session hijacking, also known as session stealing, occurs when an unauthorized user gains access to a valid session, that can be through the session ID.

Threat: Unauthorized access to sensitive user information, that is information that a user once authorized can see or have.

Preventive Measures

Implement SSL for encrypting cookies and set a limited time period for expiration.

Definition:

Implementing SSL would ensure that session ID are available to view in plain text, reducing the expiration time will ensure that new session ID are generated frequently.

Technical nitty-gritty:

// Enable SSL for encrypting cookies
<httpCookies requireSSL="true" />

// Set a limited session timeout
<system.web>
  <sessionState timeout="20"></sessionState>
</system.web>

Avoid Using URI Cookie-Less Sessions:

Session ID are usually stored in small text files on your devices called cookies. Cookie-Less sessions stores these session ID in the URI or the web address instead of the cookie file.

Technical nitty-gritty:

// Ensure cookie-less mode is not specified
<sessionState cookieless="false"></sessionState>

Reset Session on User Logout:

Clearing session data upon user logout, which include unique identifiers that are identifying your session, to prevent lingering session-related data and reducing risk.

Technical nitty-gritty:

// Reset session on user logout
Session.Abandon();
Session.RemoveAll();
Session.Clear()

Generating Lengthy Session Keys:

Using lengthy and complex session keys to prevent guessing attacks. Session ID that identify the session are easy to guess could lead to unauthorized access. Hence we generate lengthy and complex session keys.

Technical nitty-gritty:

// Generate lengthy session keys
Session.SessionIDManager.GenerateSessionID();

Session Fixation Attack:

Definition: A session fixation attack occurs when an attacker sets a user’s session ID instead of the user himself or herself, leading to unauthorized access.

Preventive Measures:

Implement session fixation protection by regenerating session IDs after login.

// Regenerate session ID after login SessionIDManager.RegenerateID();

Preventing Session Cookies from Client-Side Script Attacks. Protecting against attacks that manipulate session cookies (small text files on your device) through client-side scripts.

An HttpOnly Cookie is a tag added to a browser cookie that prevents client-side scripts from accessing data, only server can access the data.

SameSite attribute (defined in RFC6265) allows you to declare if your cookie should be restricted to a first-party or same-site context. It’s helpful to understand exactly what ‘site’ means here. The site is the combination of the domain suffix and the part of the domain just before it. For example, the www.blog.globaldigitalsecurity.ca domain is part of the globaldigitalsecurity.ca site which means your cookie can only be availed/accessed by your website.

// Secure session cookies <httpCookies httpOnlyCookies="true" sameSite="Strict" />

You can take Secure development courses online at the below location!

You can take Secure development courses instructor led below!

Some supplementary material for you to prepare for certification!

Leave a Reply

Your email address will not be published. Required fields are marked *

Social media & sharing icons powered by UltimatelySocial
YouTube
YouTube
LinkedIn
LinkedIn
Share