And the funny part is, the solution contains the same code which i mentioned with comments "destroy the session".
Many Thanks, Dhruv Sent from my iPad On Dec 3, 2011, at 10:27 PM, Pankaj Upadhyay <[email protected]> wrote: > Your link contains the same solution which Dhruv had suggested - abandoning > the current cookie and adding a new cookie in the response. > > And this won't redirect to a login page, as code itself will delete the > cookie, generate a new cookie and allow the user to log into the application > by redirecting/forwarding to the page which should come after login. > > You can create a POC and demo them the same. > > On Sat, Dec 3, 2011 at 9:37 PM, Vaibhav Gupta <[email protected]> wrote: > Hi All, > > Thanks for your suggestion and sorry for the late reply! :) > > @Dhruv > What do you mean by destroying the cookie? Is it like adding a custom cookie > and not the default ASP.NET_SesssionId? > > > @Deepayan > I have forwarded your link to C# fix of the attack. Will update if that works. > > @Pankaj > I also suggested similar solution to the developers but as per them if we'll > invalidate the session and regenerate another one, the user will be > redirected to login page. I tried convincing them that you need to do this at > the time of login but they were quite rigid with their concept and thus did > not work out with this solution. > > > One solution I suggested them was: > http://palisade.plynt.com/issues/2010Apr/secure-coding-aspdotnet-p2/ > > Comments please! > > Thanks > Vaibhav Gupta > > -------- > LinkedIn: http://www.linkedin.com/in/vaibhav0 > > On Fri, Nov 25, 2011 at 10:10 PM, Pankaj Upadhyay <[email protected]> > wrote: > Vaibhav, > > In java, we can do in following way: > > session.invalidate(); > session=request.getSession(true); > > Above code will destroy the previous session and regenerate a new session id. > Same 'concept' could be used in .Net. I am not sure with the code though. You > may want to view the following link by MSDN as well: > > http://msdn.microsoft.com/en-us/library/ms178582.aspx > > Let me know if it works! :-) > > On Fri, Nov 25, 2011 at 1:03 PM, Deepayan (Dragon) > <[email protected]> wrote: > Hi > Not sure if this helps, sending you two links, one which very neatly > demonstrates what is session fixation. and another one states about how to > fix it in VB or C#, > http://shiflett.org/articles/session-fixation > http://forums.asp.net/t/1360608.aspx > > also see this if it helps. > https://www.owasp.org/index.php/Session_Management_Cheat_Sheet > > Regards > Deepayan > > On Fri, Nov 25, 2011 at 12:16 PM, Dhruv Soi <[email protected]> > wrote: > What sessionstate mode are they using? You mail suggests inproc? > > How about abandoning the session and adding a new cookie? > > Session.Abandon(); > Response.Cookies.Add(....) > > If it destroys the data, I think SQLServer mode could be a good option. > > Though, I am not a .Net freak, but just trying to learn by commenting. Do let > me know what solution works for you. > > Cheers! > Dhruv > > On Thu, Nov 24, 2011 at 9:19 PM, Vaibhav Gupta <[email protected]> wrote: > Hi Folks, > > I am looking for the mitigation of Session fixation vulnerability on ASP .NET > platform. My development team is unable to devise the solution to change the > session id post-authentication. Please help me in this regard. > > I am looking for something synonymous to PHP's session_regenerate_id() in ASP > .NET. Other solutions are greatly appreciated. > > Thanks in anticipation > Vaibhav Gupta > > -------- > LinkedIn: http://www.linkedin.com/in/vaibhav0 > > > _______________________________________________ > Owasp-delhi mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-delhi > > > > _______________________________________________ > Owasp-delhi mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-delhi > > > > > -- > With Regards > > Deepayan > MBA(IT), GCIA (GIAC), CEH, CHFI > > _______________________________________________ > Owasp-delhi mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-delhi > > > > > -- > Thanks, > Pankaj Upadhyay > http://pankajupadhyay.in/ > > > > > > > -- > Thanks, > Pankaj Upadhyay > http://pupadhyay.blogspot.com/ > >
_______________________________________________ Owasp-delhi mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-delhi
