Session Management

How Are Session Identifiers Exchanged?

Examine the session identifier that your application uses to manage user sessions and how these session identifiers are exchanged. Consider the following:

• Do you pass session identifiers over unencrypted channels?

  If you track session state with session identifiers ” for example, tokens contained in cookies ” examine whether or not the identifier or cookie is only passed over an encrypted channel, such as SSL.

• Do you encrypt session cookies?

  If you use Forms authentication, make sure your application encrypts the authentication cookies using the protection="All" attribute on the <forms> element. This practice is recommended in addition to SSL to mitigate the risk of an XSS attack that manages to steal the authentication cookie of a user.

• Do you pass session identifiers in query strings?

  Make sure that your application does not pass session identifiers in query strings. These strings can be easily modified at the client, which would allow a user to access the application as another user, access the private data of other users, and potentially elevate privileges.

Do You Restrict Session Lifetime?

Examine how long your application considers a session identifier valid. The application should limit this time to mitigate the threat of session hijacking and replay attacks.

How Is the Session State Store Secured?

Examine how your application stores session state. Session state can be stored in the Web application process, the ASP.NET session state service, or a SQL Server state store. If you use a remote state store, make sure that the link from the Web server to the remote store is encrypted with IPSec or SSL to protect data over the wire.

For more information about securing ASP.NET session state, see "Session State" in Chapter 19, "Securing Your ASP.NET Application and Web Services."