Educause Security Discussion mailing list archives
ASP Session ID Reuse
From: Neil Matatall <nmatatal () UCI EDU>
Date: Tue, 10 Feb 2009 16:40:57 -0800
Hello All, While pen testing a vendor ASP application, we found that the session ID cookies are reused by default. I feel that I must be missing something here. Isn't this a bad idea? Under OWASP's "Things To Do" section on session management: "For all applications, session tokens should be regenerated after a change in user privilege." - this applies to a user who is unauthenticated that becomes authenticated and vice versa, correct? Assuming your cookies are safe, the following exploit still exists 1. Login as User1 2. Copy the ASPSESSIONID* cookie name and value 3. Log out 4. Login as a User2 5. On a different computer (or browser), create the cookie with the previous information. 6. Visit the application and you will see that you are logged in as User2 http://support.microsoft.com/kb/899918 actually discourages removing the session id cookie values! What are you doing to protect you ASP session IDs? Neil Note: this is not an ASP.Net application, just plain old ASP. This is my first experience with ASP :P
Current thread:
- ASP Session ID Reuse Neil Matatall (Feb 10)
- <Possible follow-ups>
- Re: ASP Session ID Reuse Brian Reilly (Feb 10)
- Re: ASP Session ID Reuse Ozzie Paez (Feb 10)
- Re: ASP Session ID Reuse Neil Matatall (Feb 11)
- Re: ASP Session ID Reuse Brian Reilly (Feb 11)
- Re: ASP Session ID Reuse Ozzie Paez (Feb 11)
- Re: ASP Session ID Reuse Josh Drummond (Feb 11)