ASP Session Cookies

Paladion
By Paladion

February 28, 2007

Over the last few years of carrying out web application audits, we have observed in many ASP-based applications that cookie values do not change between unauthenticated pages and authenticated application areas. Since the user session is associated to the session cookie, if a malicious user gets hold of session cookie prior to user authentication, he can access the authenticated application area also. Classic ASP does not support any method to enforce the change of cookie value. Let's look into some remedies in this article.

Sessions

HTTP is a stateless protocol. This means HTTP servers would respond to each client request without relating that request to previous or subsequent requests. RFC 2109 introduced state management mechanism to HTTP.

This RFC basically introduced two header directives: Cookie and Set-Cookie. Set-cookie directive sets the session cookie and sends to the client browser indicating beginning of a session. From now on each request from this browser would contain Cookie directive in the header which indicates that the request is part of the current session.

Session management in ASP session and concerns

ASP Sessions

When the first request comes from the client browser, it marks the beginning of a new session. This means that a session object is created and a session id is assigned to this session object on the server. This session id is now sent to the browser in an encrypted form as a session cookie. The browser will store this cookie in memory for entire duration until the browser is closed. Each subsequent request from the browser will send this cookie as part of the header. The server on receiving the cookie will know the corresponding session id and hence the sessions object.

The session ID is a read-only value that uniquely identifies the current clients to the Web server. In classic ASP, session IDs are assigned in a sequential manner i.e., the session ID 981249305 is followed by the session ID 981249306, and so on. The session cookie for session ID 981249305 would be stored on the client machine as the cookie

ASPSESSIONIDJHSDFEKK=KJSHFWEJNDFSERFWERKJNLKE

We have described how session states are maintained in HTTP in general and in ASP in particular. The point of concern that we have observed in many web applications is that the cookie value does not change between unauthenticated pages and authenticated application area. Since the user session is associated to the session cookie, if a malicious user gets hold of session cookie prior to user authentication, he can access the authenticated application area also. Classic ASP does not support any method to enforce the change of cookie value.

Remedies

There are several ways to circumvent this problem even though the ASP platform itself does not provide for any way by which the session cookie value can be altered. These solutions can originate either from the client side or in a form of a header directive from the server side. The solutions seek to either expire the session cookie or annul the session cookie value so that the session cookie value on the next request would be changed.

Cookie expiration

This is a client side solution. When the login page is loaded, a java script function can be called which would set the expire parameter of the current cookie to a previous date. Upon subsequent request the server would set the session cookie value to a new string.

<script>
void function session_cookie_change() {
var s,a;
s=document.cookie.split(/=/);
a=s[0];
var dtExpires = new Date();
dtExpires.setFullYear(1970,1,1);
a += ';
// The expires parameter of the cookie
// is set to the previous date
expires=' + dtExpires.toGMTString();
a += '; path=/';
document.cookie=a;
}
</script>
<body onload='session_cookie_change()'>

Annulling session cookie value

This is a server side solution. Usually when a user submits his login credentials, the request is sent to an intermediate page for authentication – authenticate.asp. We add one more stage of server processing of annulling the session cookie – annulsession.asp. The server can set the cookie value of the ASPSESSIONID to NULL using the meta tag and set-cookie directive.

<%
ckie = Request.ServerVariables("HTTP_COOKIE")
ckiename = Mid(ckie,1,(Instr(ckie,"=")-1)
%>
<META HTTP-EQUIV="Set-Cookie" Content="<%=ckiename%>=NULL; path=/">

The last statement is the meta tag in which the session cookie value is set to NULL.

Now, when the request is sent to the server for authenticate.asp page the session cookie value would be null and the request goes along with UserID and password as part of the body of the request. Upon authentication and setting of session variables on the server, the server sends a redirect request to the client and sets the session cookie to a new value in the browser. Now all subsequent requests to authentication part of the application will use this new session cookie value.

References


Tags: Technical

About

Paladion