Session and cookie management in Net Justin Brunelle
Session and cookie management in. Net Justin Brunelle CS 795 6/18/2009
Introduction to Cookies • Used to store data – Stateful way of storing data in stateless environment • Contain two attributes – names and values
Cookie Example • Creating a cookie in ASP. NET: Http. Cookie cookie = new Http. Cookie(“cookie. Name”); cookie. Values[“Value. Name 1”] = “My. Val 1”; cookie. Values[“Value. Name 2”] = “My. Val 2”; • Retrieving a cookie in ASP. NET Http. Cookie my. Cookie = Request. Cookies[“cookie. Name”]; if(my. Cookie != null) { string val 1 = my. Cookie. Values[“Value. Name 1”]; string val 2 = my. Cookie. Values[“Value. Name 2”]; }
Introduction to Sessions • ASP starts a session and returns a cookie – Automatic when using sessions • on user login – Needs cookies • Session Objects contain session state data
![Session Example • Add data to a session object Session[“Data. Name’] = my. Data;](http://slidetodoc.com/presentation_image_h2/95162560e66570df1b1d181fc42c343d/image-5.jpg "Session Example • Add data to a session object Session[“Data. Name’] = my. Data;")
Session Example • Add data to a session object Session[“Data. Name’] = my. Data; • Retrieving data from a session object my. Data = Session[“Data. Name”] • Other Functions: Session. Is. New. Session. Remove. All Session. ID
Sessions without Cookies • You don't have to change anything in your ASP. NET application to enable cookieless sessions, except the following configuration setting – <session. State cookieless="true" /> • Session identifiers stored in the URL http: //msdn. microsoft. com/en-us/library/aa 479314. aspx • Session information lost between sessions with cookieless sessions • Cookieless sessions creates a security issue when sending URLs to others
Session Variables • Can be used to store data about the current user and his session • Session["First. Name"] = First. Name. Text. Box. Text; Session["Last. Name"] = Last. Name. Text. Box. Text;
Cookies and Security • Insecure – Stored in text – Can be encrypted • Still can be read, and possibly decoded • Solution: – Encrypt in web. config • <forms protection=“Encryption” /> • Use timeouts to prevent theft and reuse
Cookie Poisoning • Cookies intercepted when sent between the server and the client • Modifying cookies to gain access to sensitive information – Such as, getting a cookie and changing the values – Extracting passwords • Both done with a web proxy tool http: //searchsoftwarequality. techtarget. com/expert/Knowledgebase. Answer/0, 289625, sid 92_gci 1210580, 00. html
Prevent Cookie Poisoning • Encrypt values and sensitive information – DES, AES, etc.
Prevent Cookie Poisoning • Treat cookies as untrusted sources of information • Use regular expressions and type matching to test validity of cookies – Use regular expressions and strict data formatting conventions in your code – If the type stored in a cookie is known, make sure the value of the cookie can be cast • such as string to int, where int is the desired type
Protection from Java. Script and Cookies • Users can use scripting attacks by entering Java. Script into forms fields – Can be stored in cookies and read later • We can cache malicious attacks – Attacks cached from Cookies, Query. String and Forms Posts. http: //msdn. microsoft. com/en-us/library/ms 972967. aspx
Protection from Java. Script and Cookies • <%@ Page validate. Request=“true" %> – Checks all input data against a list of potentially dangerous values – Slows performance, but only for users doing the attack • Valdidate. Request=true won't hamper your users experience in any way • Http. Request. Validation. Exception is thrown to signal malicious code – Catch the error and program accordingly
Alternate script injection protection • Server. Html. Encode(string) – Encodes the inserted script using html codes – <script language=“javascript”>alert(“hi”); </script> becomes – < script > language=" javascript" >alert(" hi" ); < /script> – Must be careful about how we use decoded strings with this method
Encrypting Cookies • Use Http. Secure. Cookie and Machine. Key. Cryptography Function secure. My. Cookie(Http. Cookie my. Cookie) { Http. Cookie encoded. Cookie = new Http. Cookie(my. Cookie. Name, my. Cookie. Value); encoded. Cookie. Domain = my. Cookie. Domain; encoded. Cookie. Expires = my. Cookie. Expires; encoded. Cookie. Http. Only = my. Cookie. Http. Only; encoded. Cookie. Path = my. Cookie. Path; encoded. Cookie. Secure = my. Cookie. Secure; encoded. Cookie. Value = Machine. Key. Cryptography. Encode(cookie. Value, Cookie. Protection cookie. Protection); return encoded. Cookie; } http: //www. codeproject. com/KB/web-security/Http. Secure. Cookie. aspx
Encryption and Decryption • Http. Cookie cookie = new Http. Cookie("User. Name", "Terminator"); cookie. Expires = Date. Time. Now. Add. Days(1); Http. Cookie encoded. Cookie = Http. Secure. Cookie. Encode(cookie); Response. Cookies. Add(encoded. Cookie); • Http. Cookie cookie = Request. Cookies["User. Name"]; lbl. Display. Before. Text = cookie. Value; Http. Cookie decoded. Cookie = Http. Secure. Cookie. Decode(cookie);
Session State in IE Tabs • Session only shared between tabs if user opens a new tab from a tab already in the session – State can become unstable if user modifies the same data a different way in each tab – User might have to log into each of the tabs
Resolutions • Issues with these: – Logging in is annoying – Can’t use pop-ups to transmit data • Don’t have sessions – Hidden fields are insecure • Problem stems from the process that runs the tabs
Resolutions (cont’d) • Config Setting: <session. State mode=“In. Proc” cookieless=“Use. URI” /> • Appends the session state to the URL of the new tab http: //host. Name/Sample. Page/(S(asdf 34 qwer 10 asdfz))/my. Page. aspx – Gives us a new session for each tab stemming from the first session
IE 8 Tabs • Tabs run by one process – Tab process handles a single session for each tab – Code from the previous slide forces a new session • Users can also select “File -> New Session”
Tricking ASP. NET Sessions • Normally, session cookies expire at the end of the session • We can enter Java. Script in the address bar to create your own session cookies: javascript: void(document. cookie="ASP. NET_Session. Id=Why. Did. The. Chicken. Cr oss. The; path=/") • We can set the expiration date to save the cookie and session data javascript: void(document. cookie="ASP. NET_Session. Id=Why. Did. The. Ch icken. Cross. The; path=/; expires=Mon, 19 Mar 2007 18: 25: 19 GMT");
Protecting Session Cookies • ASP. NET does not put login credentials in session cookies – Mitigates the following problem slightly • Hijackers can still take session cookies and reuse them to gain access to information • Use the following to protect your cookies: if (!Page. User. Identity. Is. Authenticated) { if (Page. Request. Cookies["ASP. NET_Session. Id"] != null) { Response. Cookies["ASP. NET_Session. Id"]. Expires = Date. Time. Now. Add. Years(-30); } Session. Abandon(); }
Questions?
- Slides: 23