Session Management

Previous page
Table of content
Next page

There are two main factors that you should consider to provide secure session management. First, ensure that the session token cannot be used to gain access to sensitive pages where secure operations are performed or to gain access to sensitive items of data. Second, if the session data contains sensitive items, you must secure the session data, including the session store.

The following two types of tokens are associated with session management:

  • The session token . This token is generated automatically by ASP.NET if session state is enabled, for example, by setting the mode attribute of the <sessionState> element to InProc , SQLServer , or StateServer .

    Note  

    You can override the <sessionState> configuration and disable or enable session state on a per-page basis using the EnableSessionState attribute on the @Page tag.

  • The authentication token . This is generated by authentication mechanisms, such as Forms authentication, to track an authenticated user's session. With a valid authentication token, a user can gain access to the restricted parts of your Web site.

The following recommendations help you build secure session management:

  • Require authentication for sensitive pages .

  • Do not rely on client-side state management options .

  • Do not mix session tokens and authentication tokens .

  • Use SSL effectively .

  • Secure the session data .

Require Authentication for Sensitive Pages

Make sure that you authenticate users before allowing them access to the sensitive and restricted parts of your site. If you use secure authentication and protect the authentication token with SSL, then a user's session is secure because an attacker cannot hijack and replay a session token. The attacker would need the authentication token to get past the authorization gates.

For more information about how to secure the authentication token for Forms authentication, see "Forms Authentication" earlier in this chapter.

Do Not Rely on Client-Side State Management Options

Avoid using any of the client-side state management options, such as view state, cookies, query strings, or hidden form fields, to store sensitive data. The information can be tampered with or seen in clear text. Use server-side state management options, for example, a database, to store sensitive data.

Do Not Mix Session Tokens and Authentication Tokens

Secure session management requires that you do not mix the two types of tokens. First, secure the authentication token to make sure an attacker cannot capture it and use it to gain access to the restricted areas of your application. Second, build your application in such a way that the session token alone cannot be used to gain access to sensitive pages or data. The session token should be used only for personalization purposes or to maintain the user state across multiple HTTP requests . Without authentication, do not maintain sensitive items of the user state.

Use SSL Effectively

If your site has secure areas and public access areas, you must protect the secure authenticated areas with SSL. When a user moves back and forth between secure and public areas, the ASP.NET-generated session cookie (or URL if you have enabled cookie-less session state) moves with them in plaintext, but the authentication cookie is never passed over unencrypted HTTP connections as long as the Secure cookie property is set.

Note  

You can set the Secure property for a Forms authentication cookie by setting requireSSL="true" on the <forms> element.

An attacker is able to obtain a session cookie passed over an unencrypted HTTP session, but if you have designed your site correctly and place restricted pages and resources in a separate and secure directory, the attacker can use it to access only to the non-secure, public access pages. In this event, there is no security threat because these pages do not perform sensitive operations. Once the attacker tries to replay the session token to a secured page, because there is no authentication token, the attacker is redirected to the application's login page.

For more information about using the Secure cookie property and how to build secure Forms authentication solutions, see "Forms Authentication" earlier in this chapter.

Secure the Session Data

If the session data on the server contains sensitive items, the data and the store needs to be secured. ASP.NET supports several session state modes. For information about how to secure ASP.NET session state, see" Session State" in Chapter 19, "Securing Your ASP.NET Application and Web Services."



Previous page
Table of content
Next page
Improving Web Application Security. Threats and Countermeasures
Improving Web Application Security: Threats and Countermeasures
ISBN: 0735618429
EAN: 2147483647
Year: 2003
Pages: 613
Authors: Microsoft Corporation
BUY ON AMAZON
Strategies for Information Technology Governance
Building Web Applications with UML (2nd Edition)
Visual C# 2005 How to Program (2nd Edition)
Microsoft WSH and VBScript Programming for the Absolute Beginner
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
Python Standard Library (Nutshell Handbooks) with
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy