Securing Session in ASP.NET

Session Security in ASP.NETThere are a growing number of security attacks on web sites day by day. Below are the statistics of security attacks as per one of the security report published in 2009.PC VirusWeb Site AttacksMost of the attacks on web site are toGather User Information (PI / Email Address / Contacts etc…)Increase the load on web site causing server halt or downAdd Malware Software ads on the websiteThere are many ways to make the web site secure. Below are some of the ways to make web site secureHardware (Firewall rules and ports)IIS (CGI and others security restrictions)Application Security ConsiderationsBut this paper concentrates mostly from Application Considerations in ASP.NET on Session Hijacking. Below are some of the important security attacks on ASP.NET Web Sites.Session Hijacking (Filtering)SQL InjectionCross Site ScriptingView State HijackingSession HijackingSession hijacking is a method of taking over a Web user session by surreptitiously obtaining the session ID and masquerading as the authorized user. Once the user's session ID has been accessed (through session prediction), the attacker can masquerade as that user and do anything the user is authorized to do on the network.There are many malware viruses or network monitoring threats that will observe the Session Cookies that store the user session ID information. Once the virus got the information it will forward the details to hackers and they use the same user cookie to access the session information which may contain PI information which he can use. There is an SSL option which will help to encrypt the data on wire but still the cookie stored on client can be used by hacker. One more option to fix this issue is to use session less mode which is note secure as the Session details will be part of URL and any network monitoring algorithm can get the URL information. Below are some more methods that will be used by Hackers to get Session InformationPrediction – Guessing of Session ID. Hackers will analyze one Session ID and will try to Guess the valid Session IDs and tracks all currently active users on server and gathers all their informationFixation – If you are using a default ASP.NET Session ID the detailed related to Session ID generation is documented and it will not be difficult thing to generate a valid Session ID.Is it possible to maintain Session ID without using Cookie or URL? It can be using HTTP Headers but still the Headers information can be tracked. Below diagrams illustrate these security attacks So to make the Session data more secure alternate consideration is to identify and validate client information from request to request. If the request comes from different client for the same Session ID then it can be considered as a Hijack attack. To identify client below are some information we can have from the RequestIP AddressUser Identity InformationBrowser InformationEach of the information has some of the limitationsIP AddressWe cannot depend on IP Address as the Hacker can also use the same proxy to connect to the serverFor any other reason if the IP Address is changed then even a request from valid user will be considered as attackUser Identity InformationCan be considered up to some extent. Since the same User and Machine Name matching criteria will be very less. But even the hacker can create the same user name and machine name to Hijack Session.Browser/OS InformationHacker can also use the same Browser and OSIf you consider the above set of limitations it may be risky to create Session ID information based on these. But the combination of these may produce better options. Session ID should provide below information which will help to track valid users.Browser / OS InformationBrowser Type & VersionOS Type & VersionUser Identity InformationUser Details & Identity if anyPrevious URLURL that caused a Post Back or Redirect. It is not recommended if you have popup and iFramesIP AddressDepending on the Application EnvironmentIf the cookie holds these information also apart from Session ID or Session ID is generated in such a way that these details or kept in that ID then for each Request that is coming from client should be validated and if the Session data and the Request data doesn’t match then it is a Session Hijack and we can block that Request. Below diagram illustrates this.cThis method can be implemented in ASP.NET in a very easy way. Let’s consider that we are going to use the Session ID to maintain validation information. A simple Session ID generated by ASP.NET looks like bo4qhu45ihqco1ftmvprfe55 an Alpha Numeric with 24 Chars Length. So now let’s try to hook up client details to this Session ID as illustrated below..Session ID ManipulationBelow are the stepsGet the ASP.NET_SessionID Cookie and ValueCreate a HashKey on information on Browser & OS & ClientIdentity & PreviousURLAttach the HashKey to Cookie ValueAttach the Cookie to ResponseSession ID ValidationBelow are the stepsGet the ASP.NET_SessionID Cookie and ValueCreate a HashKey on information on Browser & OS & ClientIdentityValidate the new HashKey againt the value in CookieUpdate the Cookie so the Application will understandSample ASP.NET CodeThese validations on Session can be at HTTP Module level or you can place in Global.asax. Let’s use Global.asax events to do our work.Below code is to validate the Request. If the Session ID matches with our hash key then only it is considered as valid request.protected void Application_BeginRequest(object sender, EventArgs e) { if (Request.Cookies["ASP.NET_SessionId"] != null && Request.Cookies["ASP.NET_SessionId"].Value != null) { string newSessionID = Request.Cookies["ASP.NET_SessionID"].Value; if (newSessionID.Length <= 24) { //Log the attack details here throw new HttpException("Invalid Request"); } if (GenerateHashKey() != newSessionID.Substring(24)) { //Log the attack details here throw new HttpException("Invalid Request"); } //Use the default one so application will work as usual//ASP.NET_SessionId Request.Cookies["ASP.NET_SessionId"].Value = Request.Cookies["ASP.NET_SessionId"].Value.Substring(0, 24); } }Below code is to update Manipulate Session Cookie protected void Application_EndRequest(object sender, EventArgs e) { if (Response.Cookies["ASP.NET_SessionId"] != null) { Response.Cookies["ASP.NET_SessionId"].Value = Request.Cookies["ASP.NET_SessionId"].Value + GenerateHashKey(); } }A simple code to generate Hash Key based on Browse and User information string GenerateHashKey() { StringBuilder myStr = new StringBuilder(); myStr.Append(Request.Browser.Browser); myStr.Append(Request.Browser.Platform); myStr.Append(Request.Browser.MajorVersion); myStr.Append(Request.Browser.MinorVersion); myStr.Append(Request.LogonUserIdentity.User.Value); SHA1 sha = new SHA1CryptoServiceProvider(); byte[] hashdata = sha.ComputeHash(Encoding.UTF8.GetBytes(myStr.ToString())); return Convert.ToBase64String(hashdata); }Below is the result of the Cookies and Values and it contains Client Information and Session IDThis is just a sample code if you want to use this in production you need to consider lot of details that matches your environment.Sudhakar KMCP