March 9, 2007 - 17:23 UTC - Tags: ASP.NET security cookie session
I just read an article on cookies in regular ASP, which explains some of the concerns related to session cookies. In this post I'll explain how this works in ASP.NET.
Session related cookies in .NET
When a user connects to an ASP.NET application, a unique session ID will be affiliated with the user. If nothing is put in the session however, no cookie will be sent to the browser. This means that the user will get a new session ID the next time a new url is open or the page is refreshed. If something is put on the session (HttpContext.Current.Session["Hello] = "hello") however, ASP.NET will issue a cookie called ASP.NET_SessionId. This cookie contains the user's session ID and the cookie will expire at the end of the session (when you close your browser).
If the user logs in, a second cookie will be issued. This cookie is usually called .ASPXAUTH, and states that the user is logged in. It's encrypted, but probably contains some information about who the user is etc. This cookie sets ASP.NET apart from other web applications, because login-information is usually affiliated with the session ID.
Read only?
In the article linked above, session ID is described as read-only. While this is normally true, it is not the case for ASP.NET. If you try to change your session ID in another type of web application, you will usually be logged out because the session does not exist. If the session does exist however, you will be logged in as the user having that session. This is called session stealing, and this is why session IDs must be hard to guess (many characters and not sequential).
If you pass an ASP.NET application a session ID of a session that does not exist, ASP.NET will create a session with that session ID. If you want to try this, open an ASP.NET application in your browser. Next, type the following in your browser address bar:
In the code above I set the session ID to be the beginning of a familiar joke. If you want to set it to a value of your own, use the same length and only letters or numbers.
Session ID expiry
The ASP.NET_SessionId is set to be deleted when you close the browser. If you, however, modify the cookie to have an expiry date at some point ahead in time, you will get the same session ID every time you visit the ASP.NET application untill the expiry date set for the cookie. You can test this by writing something like this in your browser address bar:
Session ID and login
ASP.NET does not create a new session ID for the user on login.
So what does this mean?
ASP.NET does not tie login information to the session, which makes this a much smaller problem than in other web applications. It does however mean that an XSS problem might allow a hacker to set a session ID for a user, and then potentially get access to information from the session whenever the user logs in.
How do I protect my ASP.NET application from this?
Make sure you always delete the ASP.NET_SessionId cookie when the user logs in. This way you'll avoid user's having permanent session IDs. I use the following code in Page_Load() on my ASP.NET .aspx login page:
Another idea could be store the value of the .ASPXAUTH cookie in the session on login and checking it on every subsequent request. If it has changed, delete the session and session cookie.
IE and HTTP-Only cookies
Both the ASP.NET_SessionId and .ASPXAUTH cookies are HTTP Only, which means they cannot be read from javascript in Internet Explorer. They can, however, be changed by javascript using the javascript code presented early in this post.
Session related cookies in .NET
When a user connects to an ASP.NET application, a unique session ID will be affiliated with the user. If nothing is put in the session however, no cookie will be sent to the browser. This means that the user will get a new session ID the next time a new url is open or the page is refreshed. If something is put on the session (HttpContext.Current.Session["Hello] = "hello") however, ASP.NET will issue a cookie called ASP.NET_SessionId. This cookie contains the user's session ID and the cookie will expire at the end of the session (when you close your browser).
If the user logs in, a second cookie will be issued. This cookie is usually called .ASPXAUTH, and states that the user is logged in. It's encrypted, but probably contains some information about who the user is etc. This cookie sets ASP.NET apart from other web applications, because login-information is usually affiliated with the session ID.
Read only?
In the article linked above, session ID is described as read-only. While this is normally true, it is not the case for ASP.NET. If you try to change your session ID in another type of web application, you will usually be logged out because the session does not exist. If the session does exist however, you will be logged in as the user having that session. This is called session stealing, and this is why session IDs must be hard to guess (many characters and not sequential).
If you pass an ASP.NET application a session ID of a session that does not exist, ASP.NET will create a session with that session ID. If you want to try this, open an ASP.NET application in your browser. Next, type the following in your browser address bar:
javascript:void(document.cookie="ASP.NET_SessionId=WhyDidTheChickenCrossThe;path=/")In the code above I set the session ID to be the beginning of a familiar joke. If you want to set it to a value of your own, use the same length and only letters or numbers.
Session ID expiry
The ASP.NET_SessionId is set to be deleted when you close the browser. If you, however, modify the cookie to have an expiry date at some point ahead in time, you will get the same session ID every time you visit the ASP.NET application untill the expiry date set for the cookie. You can test this by writing something like this in your browser address bar:
javascript:void(document.cookie="ASP.NET_SessionId=WhyDidTheChickenCrossThe;path=/;expires=Mon, 19 Mar 2007 18:25:19 GMT");Session ID and login
ASP.NET does not create a new session ID for the user on login.
So what does this mean?
ASP.NET does not tie login information to the session, which makes this a much smaller problem than in other web applications. It does however mean that an XSS problem might allow a hacker to set a session ID for a user, and then potentially get access to information from the session whenever the user logs in.
How do I protect my ASP.NET application from this?
Make sure you always delete the ASP.NET_SessionId cookie when the user logs in. This way you'll avoid user's having permanent session IDs. I use the following code in Page_Load() on my ASP.NET .aspx login page:
if (!Page.User.Identity.IsAuthenticated)
{
if (Page.Request.Cookies["ASP.NET_SessionId"] != null)
{
Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddYears(-30);
}
Session.Abandon();
}Another idea could be store the value of the .ASPXAUTH cookie in the session on login and checking it on every subsequent request. If it has changed, delete the session and session cookie.
IE and HTTP-Only cookies
Both the ASP.NET_SessionId and .ASPXAUTH cookies are HTTP Only, which means they cannot be read from javascript in Internet Explorer. They can, however, be changed by javascript using the javascript code presented early in this post.
May 6, 2007 - 12:49 UTC
Skiff
Session cookie
Session cookie in all web technologies also asp.net is the cookie without expiration date set.
May 7, 2007 - 10:31 UTC
Re: Session cookie
You are correct. They usually don't have an expiry date and will be deleted when you close the browser. But if you (or an attacker) modify the cookie to have en expiry date, it will no longer be deleted, and the session id will then be kept until the expiry date is reached.
January 17, 2008 - 17:09 UTC
Great article
Got right to the point and really helped me out. Thx
August 30, 2008 - 23:07 UTC
Thanks!
Like Jezek said: this article got right to the point. After trying to wade through the garbage the MS puts online, this was a real help.
November 6, 2008 - 17:54 UTC
hiiiiiiiiiii
February 27, 2009 - 09:44 UTC
Solved my problem
Great post, solved my problem :)
April 15, 2009 - 11:51 UTC
Good
It's really good information, you told http only cookie cant read from javascript.ok fine, how to read session variable values from javascript, e.g. in web page I wrote, session["n"]="1234"; how to get this value in javascript, give code please...
May 10, 2009 - 22:34 UTC
Re:Good
It's not possible to read the session from javascript. The purpose of the session is to store data server-side, to be able to keep it between requests. If you want something to go to the clientside, you have to make it available through a cookie or directly as javascript in the page.
August 16, 2009 - 19:56 UTC
IE8 Cookie Information page
Are you able to see the "ASP.NET_SessionId" cookie in IE8's Developer Tools -> Cache menu -> Cookie Information page?
November 4, 2010 - 11:30 UTC
If I make only ASPXFORMSAUTH cookei permanent (not any other cookei) then even after closing the browser(IE) the same ASP.NET_SessionId cookei is sent back I checked this in fiddler. BUT this behaviour is not there in Firefox.
How is this possiblle?
How is this possiblle?
January 9, 2012 - 09:32 UTC
Very informative post. It’s really helpful for me and helped me lot to complete my task. Thanks for sharing with us. I had found another nice post over the internet which was also explained very well about How to read and write Cookies in asp.Net, for more details of this post check out this link…
http://mindstick.com/Articles/60de760f-be8e-4ad8-8ec8-207aef746ea1/?How%20to%20read%20and%20write%20Cookies%20in%20ASP.Net
Thanks
http://mindstick.com/Articles/60de760f-be8e-4ad8-8ec8-207aef746ea1/?How%20to%20read%20and%20write%20Cookies%20in%20ASP.Net
Thanks
January 15, 2012 - 01:29 UTC
Session cookies are cookies stored on the server.
Session cookies just holds the ID and name, even if you set the expiration date to 5 years from now it won't work because the server wont have the information stored for that session.
You set the time-out of the session cookie on the server.
Try it yourself by setting the expiration date far in the future and try the session cookie after a few hours.
Session cookies just holds the ID and name, even if you set the expiration date to 5 years from now it won't work because the server wont have the information stored for that session.
You set the time-out of the session cookie on the server.
Try it yourself by setting the expiration date far in the future and try the session cookie after a few hours.
January 16, 2012 - 13:03 UTC
@Nisse: I think you are missing the point. If an attacker can trick a user into setting a specific session id, and set the expiry to 5 years, the user will have the same session id every time. And this will allow the attacker to share session, because he knows the session ID.
May 30, 2012 - 14:45 UTC
i have tried this code and for reason the ession cookie is only ended once you close the browser , does anyone has an idea how to delete session cookie even before close the browser?
About Erlend
Security guy with some thoughts on secure development.
Tag cloud
Categories
Blogroll
