Created: Tuesday, 19 January 2010 11:03
Written by Division by Zero
From a security perspective is session management one of the important things to do. There are four things an application has to do: session time out (make sure a session last as short as possible), start a new session with a new ID if an old session ID is given, reset the session on login and reset a session on logout. The first two are standard in most frameworks like java and .Net. But the second two are almost always forgotten.
Why is this important? We can't prevent a hacker from stealing a session, because this happens client side. But we can help a user minimize this threat. This is done by making the session last as short as possible and use SSL for secured pages. If an attacker steals the session and the user logs in, the atacker is logged in. Therefore we have to reset the session ID after the user logs in (of course on a secure connection). This way the atacker doens't have the same session as the user does and she/he isn't logged in.
If we reset the session when a user logs out, any stolen session becomes invalid. This way we minimise the time an atacker can abuse stolen sessions.
Here's an example in C#:
/// The session has to be reset in this fashion. This is the way to prevent
/// an attacker to steal session, etc. (At least make it harder to)
public static void ResetWebSession()
// Abandon the current session
// Reset the sessionID in the cookies
HttpContext.Current.Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
We override the session ID, so the next request from the user contains an empty session ID. The framework will generate a new ID and the old session isn't valid anymore. Remember that any stored values is the session will be lost: we need to treat an authenticated user different than a guest user.
This isn't a fool proof concept, I know. But it is the only thing we can do with our session management to assist our users.