ASP Session ID Reuse

[Neil Matatall <nmatatal () UCI EDU>]

Hello All,

While pen testing a vendor ASP application, we found that the session ID
cookies are reused by default.  I feel that I must be missing something
here.  Isn't this a bad idea?  Under OWASP's "Things To Do" section on
session management:

"For all applications, session tokens should be regenerated after a
change in user privilege." - this applies to a user who is
unauthenticated that becomes authenticated and vice versa, correct?

Assuming your cookies are safe, the following exploit still exists

  1. Login as User1
  2. Copy the ASPSESSIONID* cookie name and value
  3. Log out
  4. Login as a User2
  5. On a different computer (or browser), create the cookie with the
     previous information.
  6. Visit the application and you will see that you are logged in as User2

http://support.microsoft.com/kb/899918 actually discourages removing the
session id cookie values!  What are you doing to protect you ASP session
IDs?


Neil

Note: this is not an ASP.Net application, just plain old ASP.  This is
my first experience with ASP :P