L4 - Session Management & Security

Question 1

HTTP

Answer 1

HTTP is a stateless protocol.
- It follows a request/response pattern i.e, user requests a resource and the web server responds with the requested resource.
- Information is not retained (pass on) from one request to another.

Question 2

Client side session management

Answer 2

View state, hidden field, cookies, control state, query string

Question 3

Server side session management

Answer 3

Session, application object, caching

Question 4

Session (Server)

Answer 4

• Session is used to store information and identity. The server stores the session using Session_id.
• 2 events: Session_start(), Session_End()

Question 5

How to create a session variable (Server)

Answer 5

Session.add(“ssuser”, txtboxloginid.Text);
Session[“ssuser”] = txtboxloginid.Text;

Question 6

How to retrieve value from session (Server)

Answer 6

string LoginUser = (String)Session[“ssuserName”]

Question 7

How to delete session object(s) (Server)

Answer 7

Session.Remove(“cartvalue”)
Session.Abandon(); // Remove all objects

Question 8

Session Timeout (Server)

Answer 8

• Session timeout can be configured in the web.config file
• It indicates the time that the session can be idle before it is abandoned
• <sessionState></sessionState>
• By default, session timeout = 20minutes

Question 9

How is data stored in “Session” (Server)

Answer 9

– InProc Mode
* It is a default session mode and a value store in web server
memory (IIS).
* Session value stored when server starts and it ends when
the server is restarted.
* limited to ONLY one server
– State Server Mode
* In this mode session data is stored in separate server.
– SQL Server Mode
* In this session is stored in the database. It is a secure mode

Question 10

Application (Server)

Answer 10

• State is maintained throughout till application shut down.
• Shared by all users accessing the application
• 3 events: Application_start(), Application_Error(), Application_End()

Question 11

Cache (Server)

Answer 11

• Cache is stored on server side
• Cache is used to set expiration policies

Question 12

Cookies (Client)

Answer 12

– a small amount of data which is either stored at client side in text file or in memory of the client browser session.
– Every time a user visits a website, cookies are retrieved from the user
machine and help identify the user.

Question 13

Persistent Cookie (Client)

Answer 13

Cookies having an expiration data is called persistent cookie. This type of cookie reaches their end as their expiration dates comes to an end. IN this cookie we set an expiration date

Question 14

Non persistent cookie (Client)

Answer 14

• Not stored in the client’s hard drive
  permanently.
• Once the user exits the browser, the cookies will be cleared

Question 15

Control state

Answer 15

• A private ViewState for specific controls only
• to cahce data necessary for a control to function properly
• not affected when ViewState is turned off

Question 16

Hidden Field

Answer 16

• Hidden field is not displayed on the browser.
• It is visible to all the users in url as in the following link

Question 17

Viewstate

Answer 17

– stores any type of data (small data)
– enables and disables on page level control.
– supports Encryption and Decryption and data/value is
stored in hashed format.

Question 18

Query String

Answer 18

• Query string stores the value in the URL
• It is visible to all the users in url as in the following link

Question 19

Broken Authentication and Session Managment Prevention

Answer 19

• Account credentials must be properly protected by means of strong encryption.
  – SSL should be used in the transmission of credential information.
• Secure Session ID
  – Name should not give away details about the purpose and meaning of ID.
  – Length at least 128 bit to prevent brute force attack.
  – Must be random enough to prevent guessing.
  – No meaning to the ID to prevent information disclosure attacks.
• Avoid XSS flaws which could be used to steal session ID.

Question 20

Session Fixation

Answer 20

• Session Fixation is a specific attack against the session that allows an attacker to gain access to a victim’s session.
• An attacker visits the website to obtain a valid Session.
• This valid session cookie is placed in the victim’s browser by getting the victim to click on some malicious link.
• When the victim logs into the website, both the attacker and the victim will use the same session cookie that the attacker already knows, and thus the attacker-owned cookie is now authenticated and can be exploited.

Question 21

How to prevent Session FIxation Attack

Answer 21

• To generate a new set of session_id or tokens each time a user logs in and invalidate the old ones if any.
• Add additional session_id to circumvent the default behaviours
• Perform session timeout.

Question 22

ASP.NET_SessionId Issue

Answer 22

• ‘ASP.NET_SessionId’ wasn’t deleted upon user logout.
• To overcome this problem we will create another cookie, ‘AuthToken,’ that has random a GUID as its value.

When the user clicks on the logout button, the ‘btnLogout_Click’ event will be triggered. This event removes all sessions. Also, we are explicitly removing the values of thecookies ‘ASP.NET_SessionId,’ and ‘AuthToken’ so that an attacker cannot fixate the session.