Failure to abandon sessionΒΆ
ID: cs/session-reuse
Kind: problem
Security severity: 8.8
Severity: error
Precision: high
Tags:
- security
- external/cwe/cwe-384
Query suites:
- csharp-code-scanning.qls
- csharp-security-extended.qls
- csharp-security-and-quality.qls
Click to see the query in the CodeQL repository
Reusing a session could allow an attacker to gain unauthorized access to another account. Always ensure that, when a user logs in or out, the current session is abandoned so that a new session may be started.
RecommendationΒΆ
Always call HttpSessionState.Abandon() to ensure that the previous session is not used by the new user.
ExampleΒΆ
The following example shows the previous session being used after authentication. This would allow a previous user to use the new userβs account.
public void Login(HttpContext ctx, string username, string password)
{
if (FormsAuthentication.Authenticate(username, password)
{
// BAD: Reusing the previous session
ctx.Session["Mode"] = GetModeForUser(username);
}
}
This code example solves the problem by not reusing the session, and instead calling Abandon() to ensure that the session is not reused.
public void Login(HttpContext ctx, string username, string password)
{
if (FormsAuthentication.Authenticate(username, password)
{
// GOOD: Abandon the session first.
ctx.Session.Abandon();
}
}
ReferencesΒΆ
MSDN: ASP.NET Session State Overview, HttpSessionState.Abandon Method ().
Common Weakness Enumeration: CWE-384.