Generating a new SessionID on Login (ASP.NET)

Georg Z. picture Georg Z. · Jul 9, 2013 · Viewed 16.3k times · Source

I'm trying to work a number of security issues on a rather large ASP.NET web application (C#). To prevent session fixation attacks I'd like to generate a new session id every time a user authenticates himself. However I want to only generate a new session id without losing the rest of the session. After doing some research on this topic I found a couple of working solutions:

Solution 1: Generating new SessionId in ASP.NET
This suggests clearing the session cookie manually by setting it to an empty string. However this requires either a page refresh or using AJAX to ensure that the cookie will indeed be removed, which isn't really a viable option in my specific case.

Solution 2: Generating a new ASP.NET session in the current HTTPContext
I have implemented this approach and it works as expected. However as the original poster states, this is not really what you might call an elegant solution. Also, this post is a few years old which has me hoping that there might be a better solution out there nowadays.

What I would like to know is if there are any alternatives to do this that I have missed in my research or if something like Solution 2 is possible without manipulating session management internals.

Answer

klings picture klings · Jul 17, 2013

It's not that easy to achieve what you want due to how session management works by design in ASP.NET, re solution number 2. The solution (2) seems a bit risky considering ASP.NET session state implementation details change at some point.

I'd recommend a variant of solution 1, where you store the relevant data from the session to db/cache when the user authenticates, get a new session for the user and then populate that with the data you need. Since data is moving from an "unathenticated" session to an "authenticated" session you should also take care to validate that data.

Clearing the session cookie manually can be a slippery slope, re Ramping up ASP.NET session security. You'll find a more robust solution in the NWebsec.SessionSecurity's authenticated session identifiers (Disclaimer: I'm the developer on that project).