RE: Cookie not expiring...

["Dan Simon" <dsimon () remingtonltd com>]

This is simply not the case.

I have personally seen this problem on assessments in the past.

There are a slew of sites out there that will "logout" a user session by
simply removing/invalidating the cookies on the users system.

This prevents the legitimate user from continuing to use the session, but
has no effect on the session itself.

If an attacker has managed to snoop the cookie information, he can hijack
the user's session and continue on as if no logout had occurred (from the
server's perspective, it hasn't).

In order to properly/securely logout a user, you MUST destroy the
server-side session information.  Once you do that, destroying the
client-side cookie becomes almost moot -- even with the sessionid from the
cookie, no valid information can be gained (the session that the id points
to is dead/useless).

Dan Simon
C|EH, SCJD, SCJP
Remington Associates, Ltd.

-----Original Message-----
From: dharmeshmm () mastek com [mailto:dharmeshmm () mastek com] 
Sent: Wednesday, August 17, 2005 8:25 AM
To: webappsec () securityfocus com
Subject: Re: Cookie not expiring...

Hi All,

I think the case is only with Cookieless sessions.
"Session ID values used in cookieless sessions are recycled by default. That
is, if a request is made with a session ID that has expired, a new session
is started using the System.Web.SessionState.HttpSessionState.SessionID
supplied with the request. This behavior can result in the unwanted sharing
of session data when a link that contains a cookieless
System.Web.SessionState.HttpSessionState.SessionID is shared with multiple
browsers perhaps through a search engine or other means. You can reduce the
possibility of session data being shared by multiple clients by disabling
the recycling of session identifiers. To do this, set the
regenerateExpiredSessionId attribute of the <sessionState> configuration
element to true. This will result in a new session id being generated when a
cookieless session request is made with an expired session id."

But the most important thing that was missed is
"If the request made with the expired session id is made using the HTTP POST
method, then any posted data will be lost when regenerateExpiredSessionId is
true, as ASP.NET performs a redirect to ensure that the browser has the new
session identifier in the URL."

And in .NET, you call the
System.Web.SessionState.HttpSessionStateProvider.Abandon method when a user
logs out. This reduces the potential for an unwanted source using the unique
identifier stored in the URL to retrieve private data stored in the session
for a user.

Regards,

Dharmesh Mehta
Technology Cell,
Mastek Ltd.