ASP.NET Session and Forms Authentication and Session Fixation
https://peterwong.net/blog/asp-net-session-and-forms-authentication/
The title can be misleading, because in concept, one is not related to the other. However, a lot of web applications mix them up, causing bugs that are hard to troubleshoot, and, at worst, causing security vulnerabilities.
A little bit of background on each one. ASP.NET sessions are used to keep track and keep information related to a “user” session. When a web server is initially accessed by a browser, the server generates a unique session ID, and sends that session ID to the browser as the value of a cookie (the name of the cookie is ASP.NET_SessionId). Along with that session ID, a dictionary of objects on the server, often referred to as session state, is allocated corresponding to that session ID. This dictionary can be used to keep track of information unique to that session. For example, it could be used to keep track of items placed in a shopping cart metaphor.
Note that this “session” can exist even if the user has not authenticated. And this is often useful. In a retail web site (like Amazon), you can put items in your shopping cart, and only need to authenticate or sign on when you are ready to checkout — and even then, you can actually make a purchase without needing to authenticate, provided, of course, that a valid credit card is used.
Because this “session” is disjoint from authentication, it is better referred to as a “browser” session instead of as a “user” session. In a kiosk environment, if a user walks away from the kiosk while there are items in a shopping cart, the next user to use the kiosk will still see the same shopping cart. The web server doesn’t know any better that a different user is using the kiosk, because the same session ID is being sent back in the session cookie during interaction with the web server.
That dictionary of objects on the server, the session state, also poses certain complications that most developers are aware of. In a web farm, some form of sticky load balancer has to be used so that session state can be kept in memory. Or a centralized store for the session state is used to make the state consistent across the servers in the web farm. In either case, service performance can be affected. I have a very strong opinion against using session state. I avoid it, if at all possible.
What about Forms Authentication? Forms Authentication is the most common authentication mechanism for ASP.NET web sites. When a user is authenticated, most commonly using a user ID and password, a Forms Authentication cookie is generated and is sent to the browser (the name of the cookie, by default, is .ASPXAUTH). The cookie contains the encrypted form of an authentication ticket that contains, among other things, the user ID that uniquely identifies the user. The same cookie is sent to the web server on each HTTP request, so the web server has an idea of the user identity to correlate to a particular HTTP request.
Everything I mentioned above is common knowledge for web developers. Trouble and confusion only comes about when an expectation is made that an ASP.NET session can be associated with ASP.NET authentication. To be clear, it can be done, but precautionary measures have to be taken.
The problem is related to session hijacking, but better known as session fixation. Assuming that you’ve done your diligence of using SSL/TLS and HttpOnly cookies, there isn’t a big risk of having the session ID stolen/hijacked by sniffing the network. And most applications also perform some session cleanup when the user logs out. Some applications even ensure that a new session ID is created when the user logs in, thinking that this is enough to correlate a session state with a user identity.
Remember that the session cookie and the forms authentication cookie are two different cookies. If the two are not synchronized, the web server could potentially allow or disallow some operations incorrectly.
Here’s a hypothetical (albeit unrealistic) scenario. A banking application puts a savings account balance into session state once the user logs in. Perhaps it is computationally expensive to obtain the account balance, so to improve performance, it is kept at session state. The application ensures that a new session ID is created after the user logs in and clears the session state when the user logs out. This prevents the occurrence of one user reusing the session state of another user. Does it really prevent it? No.
As an end-user having control of my browser, I am privy to the traffic/data that the browser receives. With the appropriate tools like Fiddler2 or Firebug, I can see the session and forms authentication cookies. I may not be able to tamper them (i.e., the forms authentication cookie is encrypted and hashed to prevent tampering), but I could still capture them and store them for a subsequent replay attack.
In the hypothetical banking application above, I initially log in and get SessionIDCookie1 and FormsAuthCookie1. Let’s say the account balance stored in session state corresponding to SessionIDCookie1 is $100.
I don’t log out, but open up another window/tab and somehow prevent (through Fiddler2 maybe) the cookies from being sent through the second window. I log in to that second window.
The web server, noting that the request from the second window has no cookies, starts off another session state, and also returns SessionIDCookie2 and FormsAuthCookie2.
Browsers usually overwrite cookies with the same names, so my SessionCookieID2 and FormsAuthCookie2 are my new session ID and forms authentication cookies.
But remember that I captured SessionIDCookie1 and FormsAuthCookie1 to use in a future attack.
In that second window, I transfer $80 away from my account, thereby updating the session state corresponding to SessionIDCookie2 to be $20. I cannot make another $80 transfer in the second window because I do not have sufficient funds.
Note that SessionIDCookie1 has not been cleaned up and there is a session state on the server corresponding to SessionIDCookie1 which still thinks that the account balance is $100. I now perform my replay attack, sending to the web server SessionIDCookie1 and FormsAuthCookie1. For that given session state, I can make another $80 transfer away from my account.
You might say that the application could easily keep track of the forms authentication cookie issued for a particular user, so that when FormsAuthCookie2 is issued, FormsAuthCookie1 becomes invalid and will be rejected by the server. But what if I use SessionIDCookie1 and FormsAuthCookie2 on the second window? It’s the same result — I can make another $80 transfer away from my account.
Oh, you might say that the application should invalidate SessionIDCookie1 when SessionIDCookie2 is issued. Sure, but how? Unlike the forms authentication cookies, where the user identity is the same within both cookies, there is nothing common between SessionIDCookie1 and SessionIDCookie2. And since there is nothing relating SessionIDCookies with FormsAuthCookies, there’s no mechanism to search for and invalidate SessionIDCookie1.
The only workaround for this is custom code that ties a SessionIDCookie with the FormsAuthCookie that was issued for the same logical session. One of the following options should provide a solution.
- Key your session states by an authenticated user ID instead of by a session ID. No need for the session cookie. This will not work for applications that need to keep track of session without authentication (e.g., online shopping).
- Store the session ID as part of the payload for the forms authentication cookie. Verify that the session ID in the session cookie is the same as that stored in the forms authentication cookie. Keep track of the forms authentication issued for each user so that only a single forms authentication cookie (the most recently issued) is valid for the same user.
Maybe an overarching solution is to avoid storing user-specific information in the session state. Remember that it is a “browser” session state, and has nothing to do with an authenticated user. If you keep that in mind and only store “browser”-related information into session state, then you could avoid the problems altogether.
ASP.NET session fixation is not a very publicized problem, but is potentially a big risk, specially if improper assumptions are made with regard to session and authentication. ASP.NET session fixation is also described long back in http://software-security.sans.org/blog/2009/06/14/session-attacks-and-aspnet-part-1/, and been reported through Microsoft Connect http://connect.microsoft.com/feedback/viewfeedback.aspx?FeedbackID=143361, but to my knowledge, has not been addressed within the ASP.NET framework itself.
ASP.NET Session and Forms Authentication and Session Fixation的更多相关文章
- ASP.NET 4.0 forms authentication issues with IE11
As I mentioned earlier, solutions that rely on User-Agent sniffing may break, when a new browser or ...
- How does ASP.NET Forms Authentication really work?
I've always wondered how exactly ASP.NET forms authentication works. Yes, I know how to configure Fo ...
- IIS下Asp.Net应用程序多进程设置及Session共享
背景: 目前项目中在单个进程的应用程序经常会遇到w3c.exe崩溃的情况,于是就设想是否可以通过IIS多进程的方案来避免出现该问题. 于是搜了下“怎么实现多进程的方案”,找到了这篇文章:http:// ...
- ASP.NET 使用mode=”InProc”方式保存Session老是丢失,无奈改成StateServer 模式。
http://blog.csdn.net/fox123871/article/details/8165431 session是工作在你的应用程序进程中的.asp.net进程.iis往往会在20分钟之后 ...
- asp.net 类库中获取session c#类中获取session
asp.net 类库中获取session c#类中获取session 1. 先引入命名空间 using System.Web; using System.Web.SessionState; 在使用H ...
- Forms Authentication in ASP.NET MVC 4
原文:Forms Authentication in ASP.NET MVC 4 Contents: Introduction Implement a custom membership provid ...
- 在ASP.Net MVC 中如何实现跨越Session的分布式TempData
Hi,guys!Long time no see! 1.问题的引出 我相信大家在项目中都使用过TempData,TempData是一个字典集合,一般用于两个请求之间临时缓存数据或者页面之间传递消息.也 ...
- asp.net core系列 43 Web应用 Session分布式存储(in memory与Redis)
一.概述 HTTP 是无状态的协议. 默认情况下,HTTP 请求是不保留用户值或应用状态的独立消息. 本文介绍了几种保留请求间用户数据和应用状态的方法.下面以表格形式列出这些存储方式,本篇专讲Sess ...
- 窥探ASP.Net MVC底层原理 实现跨越Session的分布式TempData
1.问题的引出 我相信大家在项目中都使用过TempData,TempData是一个字典集合,一般用于两个请求之间临时缓存数据或者页面之间传递消息.也都知道TempData是用Session来实现的,既 ...
随机推荐
- Java 学习(3):java 对象和类
目录: --- 对象 --- 类 --- 源文件的声明规则 --- Java 包 对象: 对象是类的一个实例(对象不是找个女朋友),有状态和行为.例如,一条狗是一个对象,它的状态有:颜色.名字.品种: ...
- Python爬虫--beautifulsoup 4 用法
Beautiful Soup将复杂HTML文档转换成一个复杂的树形结构, 每个节点都是Python对象,所有对象可以归纳为4种: Tag , NavigableString , BeautifulSo ...
- linux下eth0 lo wlan0
参考:http://www.cnblogs.com/see7di/archive/2011/06/17/2239722.html 内容如下: 理解linux下的 eth0,eth1,eth2,lo 网 ...
- [NOIP2012T3]开车旅行
题目描述 NOIP 2012 提高组 题3小 A 和小 B 决定利用假期外出旅行,他们将想去的城市从 1 到 N 编号,且编号较小的城市在编号较大的城市的西边,已知各个城市的海拔高度互不相同,记城市 ...
- 利用BURPSUITE检测CSRF漏洞
CSRF漏洞的手动判定:修改referer头或直接删除referer头,看在提交表单时,网站是否还是正常响应. 下面演示用Burpsuite对CSRF进行鉴定. 抓包. 成功修改密码完成漏洞的利用.
- 9.Java web—JSP内置对象
容器内置了9大对象,这些对象在jsp页无需实例化,可以直接使用. 分别为request. response .session. application .out. pageContext .confi ...
- Linux线上系统程序debug思路及方法
http://blog.csdn.net/wangzuxi/article/details/44766221
- 【IntelliJ IDEA】2017.3.4版本永久破解
[本版本软件包和破解jar在网盘上有 我的网盘--技术--idea破解所需要的] 1.idea官网下载 历史版本 选择2017.3.4版本下载 https://www.jetbrains.com ...
- Building a Radio Listening Station to Decode Digital Audio & Police Dispatches
On April 7, 2017, residents in Dallas, Texas, woke to the sound of emergency sirens blaring all over ...
- BUPT复试专题—统计时间间隔(2013计院)
题目描述 给出两个时间(24小时制),求第一个时间至少要经过多久才能到达第二个时间.给出的时间一定满足的形式,其中x和y分别代表小时和分钟.0≤x<24,0≤y<60. 输入格式 第一行为 ...