HTTP
HTTP is a stateless protocol.
- It follows a request/response pattern i.e, user requests a resource and the web server responds with the requested resource.
- Information is not retained (pass on) from one request to another.
Client side session management
View state, hidden field, cookies, control state, query string
Server side session management
Session, application object, caching
Session (Server)
- Session is used to store information and identity. The server stores the session using Session_id.
- 2 events: Session_start(), Session_End()
How to create a session variable (Server)
Session.add(“ssuser”, txtboxloginid.Text);
Session[“ssuser”] = txtboxloginid.Text;
How to retrieve value from session (Server)
string LoginUser = (String)Session[“ssuserName”]
How to delete session object(s) (Server)
Session.Remove(“cartvalue”)
Session.Abandon(); // Remove all objects
Session Timeout (Server)
- Session timeout can be configured in the web.config file
- It indicates the time that the session can be idle before it is abandoned
- <sessionState></sessionState>
- By default, session timeout = 20minutes
How is data stored in “Session” (Server)
– InProc Mode
* It is a default session mode and a value store in web server
memory (IIS).
* Session value stored when server starts and it ends when
the server is restarted.
* limited to ONLY one server
– State Server Mode
* In this mode session data is stored in separate server.
– SQL Server Mode
* In this session is stored in the database. It is a secure mode
Application (Server)
- State is maintained throughout till application shut down.
- Shared by all users accessing the application
- 3 events: Application_start(), Application_Error(), Application_End()
Cache (Server)
- Cache is stored on server side
- Cache is used to set expiration policies
Cookies (Client)
– a small amount of data which is either stored at client side in text file or in memory of the client browser session.
– Every time a user visits a website, cookies are retrieved from the user
machine and help identify the user.
Persistent Cookie (Client)
Cookies having an expiration data is called persistent cookie. This type of cookie reaches their end as their expiration dates comes to an end. IN this cookie we set an expiration date
Non persistent cookie (Client)
- Not stored in the client’s hard drive
permanently. - Once the user exits the browser, the cookies will be cleared
Control state
- A private ViewState for specific controls only
- to cahce data necessary for a control to function properly
- not affected when ViewState is turned off
Hidden Field
- Hidden field is not displayed on the browser.
- It is visible to all the users in url as in the following link
Viewstate
– stores any type of data (small data)
– enables and disables on page level control.
– supports Encryption and Decryption and data/value is
stored in hashed format.
Query String
- Query string stores the value in the URL
- It is visible to all the users in url as in the following link
Broken Authentication and Session Managment Prevention
- Account credentials must be properly protected by means of strong encryption.
– SSL should be used in the transmission of credential information. - Secure Session ID
– Name should not give away details about the purpose and meaning of ID.
– Length at least 128 bit to prevent brute force attack.
– Must be random enough to prevent guessing.
– No meaning to the ID to prevent information disclosure attacks. - Avoid XSS flaws which could be used to steal session ID.
Session Fixation
- Session Fixation is a specific attack against the session that allows an attacker to gain access to a victim’s session.
- An attacker visits the website to obtain a valid Session.
- This valid session cookie is placed in the victim’s browser by getting the victim to click on some malicious link.
- When the victim logs into the website, both the attacker and the victim will use the same session cookie that the attacker already knows, and thus the attacker-owned cookie is now authenticated and can be exploited.
How to prevent Session FIxation Attack
- To generate a new set of session_id or tokens each time a user logs in and invalidate the old ones if any.
- Add additional session_id to circumvent the default behaviours
- Perform session timeout.
ASP.NET_SessionId Issue
- ‘ASP.NET_SessionId’ wasn’t deleted upon user logout.
- To overcome this problem we will create another cookie, ‘AuthToken,’ that has random a GUID as its value.
When the user clicks on the logout button, the ‘btnLogout_Click’ event will be triggered. This event removes all sessions. Also, we are explicitly removing the values of thecookies ‘ASP.NET_SessionId,’ and ‘AuthToken’ so that an attacker cannot fixate the session.
