Fixing Session hijacking Security Auditing Issue

Dinesh Kumar
Dinesh Kumar used Ask the Experts™
on
Hello Experts!

I am working on asp.net application in asp.net technology the application is very old around 10 years back.
I am using this configuration in web.config:

<sessionState mode="StateServer" stateConnectionString="tcpip=127.0.0.1:42424" cookieless="UseCookies" timeout="20" cookieName ="DrainId"/>

As we know that Session hijacking means if someone steal/copy session cookie and paste it another browser then the one can access any inner page of the web application.
how can we stop the session hijacking so that if session cookie is pasted in another browser we can redirect such request to the login page.

 I copied this way the cookie so that I can paste in another browser and open inner page.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
ste5anSenior Developer

Commented:
The counter measures depends on your definition of session copying. Cause e.g. when I copy my FF profile on disk, then I copy the session cookies, this is intentional and normally not a problem.

The normal terms of session hijacking means an attacker having not physical access to the users machine. In this case you do:

- Use SSL/TLS (it's the standard for everything on the net anyway)
- Use arbitrary, long session keys to minimize the risk that an attacker can guess it. E.g. a random UUID (128-bit) can be sufficient.
- Change the session key during the session. Most common scenario is to change it after a new login.
- Depending on the risk behind your session being hijacked: short sessions and 2FA.

Author

Commented:
1. login in chrome and access internal page e.g. add_new_user.aspx
2. copy the session cookie from chrome (debugger tool)
3. open Firefox, paste their the session cookie
4. access directly internal page by pasting the url i.e. add_new_user.aspx

What 's happening:

5. add_new_user.aspx page gets opened in Firefox.

What's expected:

5. user should be shown login page.

how can I implement the expected behavior.

what i tried:

1. I created the cookie based on browser e.g using the following function:

    Private Function GenerateHashKey() As String
        Dim myStr = New StringBuilder
        myStr.Append(Request.Browser.Browser)
        myStr.Append(Request.Browser.Platform)
        myStr.Append(Request.Browser.MajorVersion)
        myStr.Append(Request.Browser.MinorVersion)
        Dim sha As SHA1 = New SHA1CryptoServiceProvider
        Dim hashdata As Byte() = sha.ComputeHash(Encoding.UTF8.GetBytes(myStr.ToString))
        Return Convert.ToBase64String(hashdata)
    End Function

Open in new window

but problem with the function is that even it will create the cookie based on broswer name and version but finally the cookie will be sent to the server and server will not be able to judge that the cookie came from which browser and it will just send response.

global.asax (do you see if something is missing below?) or any other suggestion.

Sub Application_AcquireRequestState(ByVal sender As Object, ByVal e As EventArgs)
        
        Dim BrowserSpecificDetails As String = GenerateHashKey()
        If Request.Cookies("APSF") IsNot Nothing AndAlso Request.Cookies("APSF").Value IsNot Nothing Then
            Dim newSessionID As String = Request.Cookies("APSF").Value + BrowserSpecificDetails
            
            If Session.Contents("APSF") <> Request.Cookies("APSF").Value Then
                Class1.Alert("Un-Authorised Access. Login Again")
            End If
        Else
            Dim newSessionID As String = Request.Cookies("APSF").Value
            
        End If
    End Sub
    
    Private Function GenerateHashKey() As String
        Dim myStr = New StringBuilder
        myStr.Append(Request.Browser.Browser)
        myStr.Append(Request.Browser.Platform)
        myStr.Append(Request.Browser.MajorVersion)
        myStr.Append(Request.Browser.MinorVersion)
        Dim sha As SHA1 = New SHA1CryptoServiceProvider
        Dim hashdata As Byte() = sha.ComputeHash(Encoding.UTF8.GetBytes(myStr.ToString))
        Return Convert.ToBase64String(hashdata)
    End Function

Open in new window

ste5anSenior Developer

Commented:
Well, as I said, local access to the machine does normally not cover "session hijacking".. especially as this is not "session hijacking". It's just transferring control to a different browser.

Well, you may store server side which client or IP was used for the last session, but this information is not really trustworthy and can be spoofed.

So in short: I don't think you're looking the problem from the right angle. Cause if you think your scenario is a real issue, then as I already wrote

Depending on the risk behind your session being hijacked: short sessions and 2FA.
Rowby Goren Makes an Impact on Screen and Online

Learn about longtime user Rowby Goren and his great contributions to the site. We explore his method for posing questions that are likely to yield a solution, and take a look at how his career transformed from a Hollywood writer to a website entrepreneur.

Author

Commented:
how short session should be
and how 2FA can help me here.
ste5anSenior Developer

Commented:
Short sessions and 2FA reduce the window, where a possible hijacked sesssion could be abused. The short sessions enforces a new login, 2FA ensures that you work with correct user.

Author

Commented:
can you help me in writing some trick/logic that inner page does not open in another browser when we copy the cookie?
Senior Developer
Commented:
Well, just store the user agent in your session table.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial