Securing Session ID: ASP/ASP.NET
Checking through the Kb article (https://support.microsoft.com/kb/274149 )
“IIS supports the use of a Session ID cookie to track the current session identifier for a web session. However, .ASP in IIS does not support the creation of secure Session ID cookies as defined in RFC 2109. As a result, secure and non-secure pages on the same web site use the same Session ID. If a user initiated a session with a secure web page , a Session ID cookie would be generated and sent to the user, protected by SSL. But if the user subsequently visited a non-secure page on the same site, the same Session ID cookie would be exchanged, this time in plaintext. If a malicious user had complete control over the communications channel, he could read the plaintext Session ID cookie and use it to connect to the user's session with the secure page. At that point, he could take any action on the secure page that the user could take”
Here we are dealing with SessionID cookie for ASP specifically which are store in-memory not on client side in temp folder
Performing the simple test on my end demonstrating the same
· Browse on https://, seeing cookie is being set in Response Header
- Set-Cookie: ASPSESSIONIDQSSTSAAB=IICDKJDANIPCPBPNHKKCNDLC; path=/
· Moved to http from https, checking Request header which client send in
- ASPSESSIONIDQSSTSAAB=IICDKJDANIPCPBPNHKKCNDLC
**** Same Session id is used even when we moved in from https to http
Now to fix this, KB states setting up following entry in IIS metabase : cscript adsutil.vbs set w3svc/1/AspKeepSessionIDSecure 1
Performing the same test again after setting IIS metabase key
· Browse on https://, seeing cookie is being set in Response Header
-
-
- Set-Cookie: ASPSESSIONIDSUTRTBBB=APFHCKDAMJBFKKAJEBAPKOGO; secure; path=/
- Note down the secure keyword added
-
· Moved to http from https, Now this time we see another set cookie instead of previous cookie being used from secure page
-
-
- Set-Cookie: ASPSESSIONIDSQTRTBBB=BPFHCKDANDJGNIOAJOHAAKDH; path=/
-
At this point same fix does not work for ASP.Net session id cookie for that we can execute simple code like in global,asax file
Sub Session_Start(ByVal sender As Object, ByVal e As EventArgs)
' Fires when the session is started
Response.Cookies("ASP.NET_SessionID").Secure = True
End Sub
In the nutshell, AspKeepSessionIDSecure just make ASP session id to travel only on https traffic.
In case you want client side cookie to be secure make sure to encrypt it , this key[AspKeepSessionIDSecure] won’t make it secure in physical temp folder.
Comments
Anonymous
November 20, 2012
What's the purpouse of encrypting a sessionid - it still has to be sent back to the server?Anonymous
January 29, 2013
Hi Andrey, Non secure session id cookie can be stolen and then used to crash your web app site.Anonymous
December 12, 2013
Thanks! This is very helpful, though I found the cookie name is ASP.NET_SessionId (lowercase 'd') when using ASP.NET 4.5.Anonymous
December 12, 2013
Recommend also setting Response.Cookies("ASP.NET_SessionId").HttpOnly = TrueAnonymous
March 26, 2014
Response.Cookies("ASP.NET_SessionID").Secure = True If i have two different environment like Staging and Production. Staging uses http and production uses https. will there be any impact when i deploy this piece of code in staging?