up vote 4 down vote favorite
2

I have an ASP.NET 3.5 Web Site using the standard SQL Membership Provider.

The application has to pass the IBM Rational AppScan before we can push to production.

I am getting the error:
Severity: High
Test Type: Application
Vulnerable URL: http://mytestserver/myapp/login.aspx
Remediation Tasks: Do not accept externally created session identifiers

What can I do to fix this?

I am using SQL Membership Provider. Is this related? I am using the standard login controls too. I have the "Remember Me" turned off, and hidden.

Thanks.

link|flag
96% accept rate
I can't think of any reason why this would be inherently bad? Doesn't change the fact that they check for it, but I'm wondering why. – Thorarin Aug 24 '09 at 17:26

4 Answers

up vote 4 down vote accepted

This isn't a vulnerability (and I really don't like AppScan because of its false positives - the number of times I've had to explain CSRF cookies need not be linked to a session on my little open source project is getting annoying).

All that will happen in this case is the first time anything is stored in session state with a created session identifier a new session will be opened on the server, with nothing in it. If you're worried about session fixation then you can clear the cookie after authentication.

Session.Abandon();
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));

But with forms authentication the authentication details are not held in the session and so fixation is not a problem at all.

Frankly if you must pass security scans without anyone evaluating if the results are not false positives then that's a whole different problem.

link|flag
Thanks. However, I tried this, but the IBM Rational AppScan reported the same security error. – Bobby Ortiz Sep 3 '09 at 13:29
It's not a vulnerability though and your explanation is wrong. You've written and accepted an incorrect answer. – blowdart Sep 3 '09 at 15:33
I agree with you, but just saying it is not enough. I do not like the AppScan tool either, but that is the world I live in. I waste a day or so on every project. Until they change policy I have to live with it. – Bobby Ortiz Sep 9 '09 at 13:23
Well, I tried this again, and I passed the scan. Thanks. – Bobby Ortiz Sep 29 '09 at 15:10
Wow, weird :) But glad it passed. – blowdart Sep 29 '09 at 18:23
up vote 2 down vote

You might need to change the default cookie settings to be unique to you app

Try setting a unique cookie path: 

<forms name="YourAppName"
       path="/FormsAuth" ... />

http://msdn.microsoft.com/en-us/library/ms998310.aspx#paght000012_additionalconsiderations

More reading... http://msdn.microsoft.com/en-us/library/ms998258.aspx

link|flag
Sorry, I was already doing this. – Bobby Ortiz Sep 3 '09 at 13:40
up vote 0 down vote

Bobby, Have you had any luck? I too am dealing with the same issue from AppScan. A coworker of mine passed by explicitly resetting the session id for each successful login, but have had no such luck myself.

protected void Login1_LoggedIn(object sender, EventArgs e) { Session.Abandon(); Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", "")); }

The peculiar part is the AppScan request is redirecting to my error page (that I have specified in AppScan) but is still flagging me.

Thanks in advance, Mark

link|flag
up vote 0 down vote

It would seem RegenerateExpiredSessionId property is controlling this. Do set it to true. Also keep time-out to a and low value, the tightest acceptable by users (e.g. 10 - 15 minutes).

link|flag
Thanks. I tried this, but IBM Rational AppScan is hitting the site every few seconds. Lowering the value to 10 minutes does not help. – Bobby Ortiz Sep 3 '09 at 13:31

Your Answer

 
or
never shown

Not the answer you're looking for? Browse other questions tagged or ask your own question.