R
Ronnie R
Hi there
We have recently been the subject of a penetration test that has highlighted
a vunerability in an ASP.NET 2.0 application that is described as the
following...
"The authentication cookie is generated when the user logs into the
application. This cookie is not regenerated the next time a user logs into
the application. A malicious user can abuse this functionality by accessing
the login page and receiving an authentication cookie. The malicious user
then would leave the browser unattended and wait for the next user to login
to the application. When a legitimate user logs into the application, the
malicious user can use the same retrieved authentication cookie to hijack the
user session."
Considering that sessions have a timeout of say 20 mins, isn't this
something that is unavoidable, Ie if someone decides to hover around a
machine withint his 20 second period, grab the cookie and then craft a 'POST'
using this cookie, what is there that can be done to do prevent this. Or
perhaps I'm missing the point here
I have done some reading and implemented
'ViewStateUserKey = Session.SessionID' as recommended here
http://msdn.microsoft.com/en-us/library/ms972969.aspx
If anyone has any thoughts on this I would be very greatful for feeback and
your experiences
Regards
We have recently been the subject of a penetration test that has highlighted
a vunerability in an ASP.NET 2.0 application that is described as the
following...
"The authentication cookie is generated when the user logs into the
application. This cookie is not regenerated the next time a user logs into
the application. A malicious user can abuse this functionality by accessing
the login page and receiving an authentication cookie. The malicious user
then would leave the browser unattended and wait for the next user to login
to the application. When a legitimate user logs into the application, the
malicious user can use the same retrieved authentication cookie to hijack the
user session."
Considering that sessions have a timeout of say 20 mins, isn't this
something that is unavoidable, Ie if someone decides to hover around a
machine withint his 20 second period, grab the cookie and then craft a 'POST'
using this cookie, what is there that can be done to do prevent this. Or
perhaps I'm missing the point here
I have done some reading and implemented
'ViewStateUserKey = Session.SessionID' as recommended here
http://msdn.microsoft.com/en-us/library/ms972969.aspx
If anyone has any thoughts on this I would be very greatful for feeback and
your experiences
Regards