WebApp Sec mailing list archives
RE: Cookie not expiring...
From: "Dan Simon" <dsimon () compnetco com>
Date: Wed, 17 Aug 2005 06:47:09 -0500
Not quite. The problem is not with the session being "recycled" -- nor is it with the cookie. The cookie is simply a pointer to the session on the server that holds the state of the user's login and activities. Expiring the cookie on the user's side simply means that the client no longer knows how to connect to the session (which is still valid and has not expired). As noted in the original post, someone who knows the session id (contained in the cookie) can connect to the server after the user has logged out and take over (hijack) their session. The session will think that the attacker is a legitimate user and will treat them as having already logged in (as that is what the session state says they have done). Expiring the cookie on the server has no meaning -- the cookie does not exist on the server. Again, the cookie is simply a storage container...it holds the session id which allows the client to tell the server who he is and what server session object to associate with him. What you need to do is to expire the session object itself when a user logs out. You can do this programmatically by removing the stateful information from the session object upon logout (user id, history, etc.). Alternately, you can look into the API that you are using and determine the proper way to destroy a session object. That way, if an attacker attempts to connect to the server using the session id of a user who has logged out, he will be treated as a new user and forced to login (which will hopefully delay him for at least a minute or two). Dan Simon C|EH, SCJD, SCJP Remington Associates, Ltd. -----Original Message----- From: bryan allott [mailto:homegrown () bryanallott net] Sent: Wednesday, August 17, 2005 3:00 AM To: webappsec () securityfocus com Subject: Re: Cookie not expiring... i dont think the session is actually available. maybe what is happening is that a new session with the same identifier is being resurrected? read the following from msdn.. "Session identifiers for abandoned or expired sessions are recycled by default. That is, if a request is made that includes the session identifier for an expired or abandoned session, a new session is started using the same session identifier. You can disable this by setting regenerateExpiredSessionId attribute of the <sessionState> configuration element to true. For more information, see Session Identifiers." .NET Framework Supported in: 2.0, 1.1, 1.0 try that? ----- Original Message ----- From: "spawn security" <spawn.security () gmail com> To: <webappsec () securityfocus com> Sent: Tuesday, August 16, 2005 7:08 PM Subject: Cookie not expiring... I'm testing an application and after clicking on the logout button the session management cookie does not expire. More specifically, the application is using the FormsAuthentication class signout method to "logout" an authenticated user. Private Sub cmdSignOut_ServerClick(ByVal sender As System.Object, ByVal e As System.EventArgs) _ Handles cmdSignOut.ServerClick FormsAuthentication.SignOut() Session.Abandon() Response.Redirect("login.aspx", True) End Sub According to Microsoft documentation, this FormsAuthentication.SignOut method works by returning a Set-Cookie header to the browser that sets the cookie's value to a null string and sets the cookie's expiration date to a date in the past. This is only expiring the cookie on the client/browser side. Which will allow a "malicious" user, who had access to the cookie, to reuse it after user logs out. Does anyone know how to force the cookie to expire on the server side ? Thanks. -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.10.10/73 - Release Date: 15-Aug-05
Current thread:
- Cookie not expiring... spawn security (Aug 16)
- Re: Cookie not expiring... bryan allott (Aug 17)
- RE: Cookie not expiring... Dan Simon (Aug 17)
- Re: Cookie not expiring... Rogan Dawes (Aug 17)
- Re: Cookie not expiring... Thomas Chiverton (Aug 17)
- <Possible follow-ups>
- RE: Cookie not expiring... Steven Rebello (Aug 17)
- RE: Cookie not expiring... David Knapman (Aug 17)
- Re: Cookie not expiring... dharmeshmm (Aug 17)
- RE: Cookie not expiring... Dan Simon (Aug 17)
- Windows 2003 Server Hardening Joe Osborn (Aug 18)
- Re: Windows 2003 Server Hardening jcarr083 (Aug 19)
- RE: Windows 2003 Server Hardening Sarbjit Singh Gill (Aug 19)
- RE: Windows 2003 Server Hardening Aleksander P. Czarnowski (Aug 19)
- RE: Cookie not expiring... Dan Simon (Aug 17)
- Re: Cookie not expiring... bryan allott (Aug 17)