Broken Authentication and Session Management – part Ⅱ

HTTP is a stateless protocol, hence web server does not maintain any track of user activity. To track user activity we generally use Sessions. There are various ways of session management where the server generates a session identifier (ID) initially and ensure that the same ID will be sent back by the browser along with each subsequent request. This helps us to maintain a record of user. Improper handling of these session variables could be a serious threat and allows attackers to gain access to the system. This article illustrates session fixation considering ASP.NET web application. For better understanding I have created a simple ASP.NET application. You can download the project from here. This project has two folders ‘SecureLoginFunc’ & ‘InsecureLogin‘ which contains login & logout mechanism of the application. You need to import the downloaded project to Visual Studio or create a virtual directory in IIS and add this project to it.

As you know a Session is used to track the user activity using a Cookie. In ASP.NET, server creates a cookie named as ‘ASP.NET_SessionId‘ on the client. This ‘ASP.NET_SessionId’ cookie value will be checked for every request to ensure the authenticity & Identity. ASP.NET has two ways of transmitting session IDs back and forth to the browser, either embedded in the URL or through a session cookie. You can easily spot the session ID when it’s embedded in the URL, for example ‘’. Anyway this is not recommended solution.

Continue reading


Broken Authentication and Session Management – part Ⅰ

According to OWASP, Broken Authentication and Session Management was defined as  ‘Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.’ In other words, an attacker can get unauthorized access of the user due to the flaw in the implementation. Before exploiting this vulnerability you need to know few concepts

  1. What is a Session and why do we need a Session
  2. What is a Cookie
  3. What is an Authentication

Continue reading