Securing Session ID: ASP/ASP.NET

  • Article

Checking through the Kb article (https://support.microsoft.com/kb/274149 )

“IIS supports the use of a Session ID cookie to track the current session identifier for a web session. However, .ASP in IIS does not support the creation of secure Session ID cookies as defined in RFC 2109. As a result, secure and non-secure pages on the same web site use the same Session ID. If a user initiated a session with a secure web page , a Session ID cookie would be generated and sent to the user, protected by SSL. But if the user subsequently visited a non-secure page on the same site, the same Session ID cookie would be exchanged, this time in plaintext. If a malicious user had complete control over the communications channel, he could read the plaintext Session ID cookie and use it to connect to the user's session with the secure page. At that point, he could take any action on the secure page that the user could take”

Here we are dealing with SessionID cookie for ASP specifically which are store in-memory not on client side in temp folder

Performing the simple test on my end demonstrating the same

· Browse on https://, seeing cookie is being set in Response Header

  • Set-Cookie: ASPSESSIONIDQSSTSAAB=IICDKJDANIPCPBPNHKKCNDLC; path=/

· Moved to http from https, checking Request header which client send in

  • ASPSESSIONIDQSSTSAAB=IICDKJDANIPCPBPNHKKCNDLC

**** Same Session id is used even when we moved in from https to http

Now to fix this, KB states setting up following entry in IIS metabase : cscript adsutil.vbs set w3svc/1/AspKeepSessionIDSecure 1

Performing the same test again after setting IIS metabase key

· Browse on https://, seeing cookie is being set in Response Header

      • Set-Cookie: ASPSESSIONIDSUTRTBBB=APFHCKDAMJBFKKAJEBAPKOGO; secure; path=/
      • Note down the secure keyword added

· Moved to http from https, Now this time we see another set cookie instead of previous cookie being used from secure page

      • Set-Cookie: ASPSESSIONIDSQTRTBBB=BPFHCKDANDJGNIOAJOHAAKDH; path=/

At this point same fix does not work for ASP.Net session id cookie for that we can execute simple code like in global,asax file

Sub Session_Start(ByVal sender As Object, ByVal e As EventArgs)

          ' Fires when the session is started

Response.Cookies("ASP.NET_SessionID").Secure = True

End Sub

In the nutshell, AspKeepSessionIDSecure just make ASP session id to travel only on https traffic.

In case you want client side cookie to be secure make sure to encrypt it , this key[AspKeepSessionIDSecure] won’t make it secure in physical temp folder.

Hot