// adapted from https://stackoverflow.com/a/4420114/6121074
/// <summary>
/// prevent http session fixation attack by generating a new http session ID upon login
/// </summary>
/// <remarks>
/// https://www.owasp.org/index.php/Session_Fixation
/// </remarks>
/// <returns>new session ID</returns>
public static string RegenerateSessionId()
{
// create a new session id
var manager = new SessionIDManager();
var oldId = manager.GetSessionID(HttpContext.Current);
var newId = manager.CreateSessionID(HttpContext.Current);
manager.SaveSessionID(HttpContext.Current, newId, out bool redirected, out bool cookieAdded);
// retrieve the current session
var application = HttpContext.Current.ApplicationInstance;
var session = (SessionStateModule)application.Modules.Get("Session");
var fields = session.GetType().GetFields(BindingFlags.NonPublic | BindingFlags.Instance);
// parse the session fields
SessionStateStoreProviderBase store = null;
FieldInfo rqIdField = null, rqLockIdField = null, rqStateNotFoundField = null;
SessionStateStoreData rqItem = null;
foreach (var field in fields)
{
switch (field.Name)
{
case "_store":
store = (SessionStateStoreProviderBase)field.GetValue(session);
break;
case "_rqId":
rqIdField = field;
break;
case "_rqLockId":
rqLockIdField = field;
break;
case "_rqSessionStateNotFound":
rqStateNotFoundField = field;
break;
case "_rqItem":
rqItem = (SessionStateStoreData)field.GetValue(session);
break;
}
}
// remove the session from the store
var lockId = rqLockIdField.GetValue(session);
if (lockId != null && oldId != null)
{
store.RemoveItem(HttpContext.Current, oldId, lockId, rqItem);
}
// assign the new id to the session
// the session will be added back to the store, with the new id, on the next http request
rqStateNotFoundField.SetValue(session, true);
rqIdField.SetValue(session, newId);
return(newId);
}
protected void ReGenerateSessionId()
{
SessionIDManager manager = new SessionIDManager();
string oldId = manager.GetSessionID(System.Web.HttpContext.Current);
string newId = manager.CreateSessionID(System.Web.HttpContext.Current);
bool isAdd = false, isRedir = false;
manager.RemoveSessionID(System.Web.HttpContext.Current);
manager.SaveSessionID(System.Web.HttpContext.Current, newId, out isRedir, out isAdd);
//Store data from old session
HttpApplication ctx = System.Web.HttpContext.Current.ApplicationInstance;
HttpModuleCollection mods = ctx.Modules;
SessionStateModule ssm = (SessionStateModule)mods.Get("Session");
FieldInfo[] fields = ssm.GetType().GetFields(BindingFlags.NonPublic | BindingFlags.Instance);
SessionStateStoreProviderBase store = null;
FieldInfo rqIdField = null, rqLockIdField = null, rqStateNotFoundField = null;
SessionStateStoreData rqItem = null;
foreach (FieldInfo field in fields)
{
if (field.Name.Equals("_store"))
{
store = (SessionStateStoreProviderBase)field.GetValue(ssm);
}
if (field.Name.Equals("_rqId"))
{
rqIdField = field;
}
if (field.Name.Equals("_rqLockId"))
{
rqLockIdField = field;
}
if (field.Name.Equals("_rqSessionStateNotFound"))
{
rqStateNotFoundField = field;
}
if ((field.Name.Equals("_rqItem")))
{
rqItem = (SessionStateStoreData)field.GetValue(ssm);
}
}
object lockId = rqLockIdField.GetValue(ssm);
if ((lockId != null) && (oldId != null))
{
store.RemoveItem(System.Web.HttpContext.Current, oldId, lockId, rqItem);
}
rqStateNotFoundField.SetValue(ssm, true);
rqIdField.SetValue(ssm, newId);
}
public override void RemoveItem(HttpContext context, string id, object lockId, SessionStateStoreData item)
{
_store.RemoveItem(context, id, lockId, item);
}