// adapted from https://stackoverflow.com/a/4420114/6121074 /// <summary> /// prevent http session fixation attack by generating a new http session ID upon login /// </summary> /// <remarks> /// https://www.owasp.org/index.php/Session_Fixation /// </remarks> /// <returns>new session ID</returns> public static string RegenerateSessionId() { // create a new session id var manager = new SessionIDManager(); var oldId = manager.GetSessionID(HttpContext.Current); var newId = manager.CreateSessionID(HttpContext.Current); manager.SaveSessionID(HttpContext.Current, newId, out bool redirected, out bool cookieAdded); // retrieve the current session var application = HttpContext.Current.ApplicationInstance; var session = (SessionStateModule)application.Modules.Get("Session"); var fields = session.GetType().GetFields(BindingFlags.NonPublic | BindingFlags.Instance); // parse the session fields SessionStateStoreProviderBase store = null; FieldInfo rqIdField = null, rqLockIdField = null, rqStateNotFoundField = null; SessionStateStoreData rqItem = null; foreach (var field in fields) { switch (field.Name) { case "_store": store = (SessionStateStoreProviderBase)field.GetValue(session); break; case "_rqId": rqIdField = field; break; case "_rqLockId": rqLockIdField = field; break; case "_rqSessionStateNotFound": rqStateNotFoundField = field; break; case "_rqItem": rqItem = (SessionStateStoreData)field.GetValue(session); break; } } // remove the session from the store var lockId = rqLockIdField.GetValue(session); if (lockId != null && oldId != null) { store.RemoveItem(HttpContext.Current, oldId, lockId, rqItem); } // assign the new id to the session // the session will be added back to the store, with the new id, on the next http request rqStateNotFoundField.SetValue(session, true); rqIdField.SetValue(session, newId); return(newId); }
protected void ReGenerateSessionId() { SessionIDManager manager = new SessionIDManager(); string oldId = manager.GetSessionID(System.Web.HttpContext.Current); string newId = manager.CreateSessionID(System.Web.HttpContext.Current); bool isAdd = false, isRedir = false; manager.RemoveSessionID(System.Web.HttpContext.Current); manager.SaveSessionID(System.Web.HttpContext.Current, newId, out isRedir, out isAdd); //Store data from old session HttpApplication ctx = System.Web.HttpContext.Current.ApplicationInstance; HttpModuleCollection mods = ctx.Modules; SessionStateModule ssm = (SessionStateModule)mods.Get("Session"); FieldInfo[] fields = ssm.GetType().GetFields(BindingFlags.NonPublic | BindingFlags.Instance); SessionStateStoreProviderBase store = null; FieldInfo rqIdField = null, rqLockIdField = null, rqStateNotFoundField = null; SessionStateStoreData rqItem = null; foreach (FieldInfo field in fields) { if (field.Name.Equals("_store")) { store = (SessionStateStoreProviderBase)field.GetValue(ssm); } if (field.Name.Equals("_rqId")) { rqIdField = field; } if (field.Name.Equals("_rqLockId")) { rqLockIdField = field; } if (field.Name.Equals("_rqSessionStateNotFound")) { rqStateNotFoundField = field; } if ((field.Name.Equals("_rqItem"))) { rqItem = (SessionStateStoreData)field.GetValue(ssm); } } object lockId = rqLockIdField.GetValue(ssm); if ((lockId != null) && (oldId != null)) { store.RemoveItem(System.Web.HttpContext.Current, oldId, lockId, rqItem); } rqStateNotFoundField.SetValue(ssm, true); rqIdField.SetValue(ssm, newId); }
public override void RemoveItem(HttpContext context, string id, object lockId, SessionStateStoreData item) { _store.RemoveItem(context, id, lockId, item); }