Session Fixation

mawingpui
mawingpui used Ask the Experts™
on
Hi Experts,

I tried to use IBM Rational AppScan to scan the website, but the "Session Fixation" problem still come up.

Page
login.asp -> default.asp -> logout.asp

"Session identifier not updated" problem seems to re-use the Session ID.

http://www.owasp.org/index.php/Session_Fixation_Protection

I tried to follow the Example in the above but unsuccessful.

Is it able to do the following?

- Renew the ASPSESSIONID
- Cookieless Session
- Encrypted URL
...
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
You can't renew ASPSESSIONID no matter what you do. If AppScan is looking only to this value it will never pass.
The workaround is to look for ASPFIXATION value which is changing for each session, if AppScan doesn't know to do this than it's a problem with the scan application rather than your website.
You should accept this as an exception for AppScan or if you want a clear report you have to switch to .NET.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial