Hi Not sure if this helps, sending you two links, one which very neatly demonstrates what is session fixation. and another one states about how to fix it in VB or C#, http://shiflett.org/articles/session-fixation http://forums.asp.net/t/1360608.aspx
also see this if it helps. https://www.owasp.org/index.php/Session_Management_Cheat_Sheet Regards Deepayan On Fri, Nov 25, 2011 at 12:16 PM, Dhruv Soi <[email protected]>wrote: > What sessionstate mode are they using? You mail suggests inproc? > > How about abandoning the session and adding a new cookie? > > Session.Abandon(); > Response.Cookies.Add(....) > > If it destroys the data, I think SQLServer mode could be a good option. > > Though, I am not a .Net freak, but just trying to learn by commenting. Do > let me know what solution works for you. > > Cheers! > Dhruv > > On Thu, Nov 24, 2011 at 9:19 PM, Vaibhav Gupta <[email protected]>wrote: > >> Hi Folks, >> >> I am looking for the mitigation of Session fixation vulnerability on ASP >> .NET platform. My development team is unable to devise the solution to >> change the session id post-authentication. Please help me in this regard. >> >> I am looking for something synonymous to PHP's session_regenerate_id() in >> ASP .NET. Other solutions are greatly appreciated. >> >> Thanks in anticipation >> Vaibhav Gupta >> >> -------- >> LinkedIn: http://www.linkedin.com/in/vaibhav0 >> >> >> _______________________________________________ >> Owasp-delhi mailing list >> [email protected] >> https://lists.owasp.org/mailman/listinfo/owasp-delhi >> >> > > _______________________________________________ > Owasp-delhi mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-delhi > > -- With Regards Deepayan MBA(IT), GCIA (GIAC), CEH, CHFI
_______________________________________________ Owasp-delhi mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-delhi
